Skip to content

Common Report Queries🔗

The following advanced search queries yield results for commonly requested reports. You can create these queries using either Query Language or Builder.

Netflow events that identify SSH activity in outbound traffic but exclude a specific IP address (e.g. 10.0.0.121)

FROM netflow WHERE destination_port=22 AND direction='OUTBOUND' AND source_address != 10.0.0.121

Netflow events that identify SSH activity in outbound traffic from a specific IP address (e.g. 10.0.0.121)

FROM netflow WHERE destination_port=22 AND direction='OUTBOUND' AND destination_address = 10.0.0.121

Netflow and Auth events involving a specific IP address (e.g. 10.0.0.121)

FROM netflow, auth @ip='10.0.0.121'

Windows events where a user was added to a security-enabled global group (e.g. domain admins)

FROM auth WHERE (target_user_name CONTAINS 'domain admins' AND win_event_id = '4728')

All events, regardless of alert type, that contain a specific user ID (e.g. admin)

@user CONTAINS 'admin'

All command line events across multiple alert types that contain the creation of a scheduled task

@command CONTAINS 'SCHTASK /Create'

Process events where the command line includes scheduled tasks

FROM process WHERE commandline CONTAINS 'schtasks'

Process events that include 'whoami' or another specific value (e.g. ATOMIC)

FROM process WHERE original_data CONTAINS 'whoami' OR original_data CONTAINS 'ATOMIC'

Generic events from a specified sensor (e.g. Zeek)

FROM generic WHERE sensor_type = 'zeek'

Generic events from the past 2 hours

FROM generic WHERE original_data CONTAINS 'secureworks' EARLIEST =  -2h

Inspector and process events for specific data 'lsass' for the past 7 days

FROM inspector_process, process WHERE original_data CONTAINS 'lsass' EARLIEST = -7d

All DNS query events that do not contain specific data 'secureworks' and 'windows update'

FROM dnsquery WHERE query_name !CONTAINS 'secureworks' AND query_name !CONTAINS 'windowsupdate'

DNS query events matching '*.secureworks.com' sorted by the query_name in alphabetical order

FROM dnsquery where query_name MATCHES '*.secureworks.com' | sort query_name desc

Process events from Red Cloak™ Endpoint Agent and CrowdStrike

FROM process sensor_type IN ('ENDPOINT_REDCLOAK', 'ENDPOINT_CROWD_STRIKE')

Auth events where the source user name or target user name contains a specific value (e.g. admin)

FROM auth WHERE source_user_name CONTAINS 'admin' OR target_user_name CONTAINS 'admin'

Auth events where the source user name and target_user_name do not contain a specific value (e.g. admin)

FROM auth WHERE source_user_name !CONTAINS 'admin' AND target_user_name !CONTAINS 'admin'

Auth events where the source user name and target_user_name do not contain a specific value (e.g. admin), but the win_summary field has a value containing 'special'

FROM auth WHERE source_user_name !CONTAINS 'admin' AND target_user_name !CONTAINS 'admin' AND win_summary CONTAINS 'special'