Example Queries

This topic lists example queries based on the event type they can be used against.

To enter an example query in Legacy Log Search, select Advanced mode from the dropdown next to the query bar.

For additional example queries on Process Start activity view the Process Start Queries.

Active Directory Admin Activity

All failed authentication activity, grouped by destination_user

  • where(result AND result != SUCCESS) groupby(destination_user) calculate(count)
  • where(result ISTARTS-WITH "FAILED") groupby(destination_user) calculate(count)

All users who completed an admin action
groupby(source_user)

All admin actions
groupby(action)

All activity taken by a specific user

  • where(source_user="Arnold Holt")
    • Case-insensitive: where(source_user=NOCASE("arnold holt"))
  • where(source_user="Tina Gonzales (Admin)")
    • Case-insensitive: where(source_user=NOCASE("tina gonzales (admin)"))
  • where(source_user="rrn:uba:us:14f8eba8-46c8-474b-a982-29476e7a8bd8:user:JA5G9PI3PC9M")

All users with “admin” in their user name

  • where(source_user ICONTAINS admin)groupby(source_user)
  • where(source_user ICONTAINS admin)groupby(action)
    Note: These return case insensitive results.

All groups that a user was added to by someone with “admin” in their name
where(source_user ICONTAINS admin AND action=MEMBER_ADDED_TO_SECURITY_GROUP) groupby(group)

All users added to a particular group
where(action="MEMBER_ADDED_TO_SECURITY_GROUP" AND group="vpn-users")groupby(target_user)

Accounts that added users to groups
where(action="MEMBER_ADDED_TO_SECURITY_GROUP")groupby(source_user)

Accounts (DN display) that had their privileges escalated, to what group, by whom, on what day/time
where(target_account NOT ICONTAINS "$" AND action=PRIVILEGE_ESCALATION)groupby(target_account, group, source_user, timestamp)

Group changes made to a certain group
where(action IN [MEMBER_ADDED_TO_SECURITY_GROUP, MEMBER_REMOVED_FROM_SECURITY_GROUP]AND group CONTAINS -job-admins)
Note: Replace /*.-job-admins/ with the appropriate group name

Admin account created by host (regex)
where(/:\d{2} (?P<host>\w+)./ AND /4732 EVENT/ OR /\s636 EVENT/) groupby(host)

Accounts locked out by host (regex)
where(/:\d{2} (?P<host>\w+)./ AND /4740 EVENT/ OR /\s644 EVENT/) groupby(host)

Audit Log cleared by Host (regex)
where(/:\d{2} (?P<host>\w+)./ AND /1102 EVENT/ OR /\s517 EVENT/) groupby(host)

Audit Policy Changed (regex)
where(/4719 EVENT/ OR /\s612 EVENT/)

Active Directory Domain Activity

These queries only work with Microsoft Logs.

All Microsoft Event IDs for collected events (regex)

  • where(/eventCode\\":(?P<EVID>\d{4})/) groupby(EVID)
  • where(/eventCode\\":\\"(?P<EVID>\d{4})/)groupby(EVID)

All hosts that logs have been collected from (regex)
where(/computerName\\":\\"(?P<HostName>[\w\d\-]*)/)groupby(HostName)

Advanced Malware Alert

All "MALICIOUS" Advanced Malware Alerts, grouped by assets that have 5 or more alerts
where(severity ICONTAINS "MALICIOUS")groupby(asset)having(count>=5)

Asset Authentication

All authentication types
groupby(logon_type)

All authentication results
groupby(result)

All failed authentication activity
where(result AND result != SUCCESS) groupby(destination_user) calculate(count)

All failed authentication activity
where(result starts-with "failed") groupby(destination_user) calculate(count)

All failed Logins by IP (regex)
where(/(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) groupby(ip) calculate(count)

All failed Non-Kerberos logins
where(service NOT IIN ["krbtgt", "kerberos"] AND result ISTARTS-WITH "failed") groupby(destination_account)

All Non-Kerberos logins by destination asset
where(service NOT IN [krbtgt, kerberos]AND result="FAILED_BAD_PASSWORD")groupby("destination_asset")

All accounts attempting to authenticate that failed
where(result ISTARTS-WITH "FAILED")groupby(destination_user)
Note: If no results are returned, try the destination_account key.

All invalid logins (regex)
where(/4625 EVENT/ OR /\s529 EVENT/)

All invalid logins by host (regex)
where(/:\d{2} (?P<host>\w+)./ AND /4625 EVENT/ OR /\s529 EVENT/) groupby(host)

All Microsoft event IDs for collected events (regex)

  • where(/eventCode\\":(?P<EVID>\d{4})/) groupby(EVID)
  • where(/eventCode\\":\\"(?P<EVID>\d{4})/)groupby(EVID)

All hosts that logs have been collected from (regex)
where(/computerName\\":\\"(?P<HostName>[\w\d\-]*)/)groupby(HostName)

Audit Logs

All investigation activity performed from within the InsightIDR Platform, grouped by action
where(access_method="web")groupby(action)

All analysts who have closed an investigation, grouped by their user name
where(action="INVESTIGATION_CLOSED")groupby(request.user.name)

Manually created investigations, grouped by alert name
where(service_info.investigation_type="MANUAL")groupby(service_info.investigation_name)limit(1000)
Note: This query will only return 1,000 alerts.

All instances where data has been added to an investigation, grouped by investigation type and the data types
where(action="INVESTIGATION_DATA_ADDED")groupby(service_info.investigation_type, service_info.data_type)

Cloud Service Activity

All Cloud Service Workloads and actions performed
groupby(source_json.Workload, action)

Top 10 users with the most Office365 activity
groupby(source_user)calculate(count)limit(10)

Cloud Service Admin Activity

Office365 guest account creations and who created them (regex)
where(action=CREATE_USER AND target_user=/.*\#EXT\#.*/i) groupby(source_user, target_user)

Office365 guest account areas of activity (regex)
where(source_user=/.*\#EXT\#.*/i)groupby(source_json.Workload)

Office365 guest account SharePoint actions (regex)
where(source_user=/.*\#EXT\#.*/i AND source_json.Workload=SharePoint)groupby(action)

Office365 guest account OneDrive files downloaded or accessed (regex)
where(source_user=/.*\#EXT\#.*/i AND source_json.Workload=OneDrive AND action=/FileDownloaded|FileAccessed/)groupby(action, source_json.SourceFileName)

Office365 guest account Team Sessions started (regex)
where(source_user=/.*\#EXT\#.*/i AND source_json.Workload=MicrosoftTeams AND action=/TeamsSessionStarted/i)groupby(source_user)

DNS Query

All websites visited by users outside of .com, .net, and .org domains
where(public_suffix AND public_suffix NOT IN [com, net, org])groupby(public_suffix)

All websites in Russia visited by users
where(public_suffix="ru")groupby(query)

All users who have accessed a website, and how many times (regex)
where(/facebook/ AND user!="unknown")calculate(count)

All users who have accessed Dropbox (regex)
where(/dropbox/ AND user!="unknown")groupby(user)

All users who have accessed Facebook (RegEx)
where(/facebook/ AND user!="unknown")groupby(user)

Endpoint Activity

All child Powershell process command lines that are not empty or only running a ps1 script
where(process.name=/powershell.exe/i AND process.cmd_line NOT IN ["null", /.*ps1.*/i])groupby(process.cmd_line)

All processes by file descriptions
groupby(process.exe_file.description)

All process reputations
groupby(process.hash_reputation.reputation)

All command lines showing the taskkill.exe process
where(process.name=NOCASE(taskkill.exe)) groupby(process.cmd_line)

All processes, hostnames, and users running programs for SSH and/or Telnet
where(process.exe_file.description icontains-any ["ssh", "telnet"]) groupby(process.name, hostname, process.username)

File Access Activity

All files accessed by a specific user
where(user="Pete Coors")groupby(file_name)

All users who accessed a specific file
where(file_name="audit.csv")groupby(user)

Top 20 known users accessing Safebrowsing
where(query="safebrowsing.google.com" AND user!="unknown")groupby(user)limit(20)

The following queries only work with Microsoft Logs.

All Microsoft event IDs for collected events (regex)

  • where(/eventCode\\":(?P<EVID>\d{4})/) groupby(EVID)
  • where(/eventCode\\":\\"(?P<EVID>\d{4})/)groupby(EVID)

All hosts that logs have been collected from (regex)
where(/computerName\\":\\"(?P<HostName>[\w\d\-]*)/)groupby(HostName)

File Modification Activity

All log entries where any of the three File Integrity Monitoring events are logged
where(file_event="delete" OR "write" OR "modify") calculate(count)

Firewall Activity

All countries that users have downloaded data from
where(incoming_bytes>0 AND geoip_country_code NOT IN [US, IE, GB, DE, JP, CA, AU])groupby(geoip_country_code)
Note: The list of excluded countries should be modified as needed.

All firewall traffic from countries other than the United States
where(geoip_country_name!="United States")groupby(geoip_country_name)

A count of all firewall logs
calculate(count)
Note: This query is useful to see trends in the amount of logs collected.

Top 10 external systems (outside of the United States) receiving the most data
where(direction=OUTBOUND AND geoip_country_code!=US)groupby(destination_address)calculate(sum:outgoing_bytes)limit(10)

Top 10 internal systems receiving the most data
where(direction=INBOUND)groupby(destination_address)calculate(sum:incoming_bytes)limit(10)

All users accessing a particular destination
where(direction="OUTBOUND" AND destination_address="52.205.169.150")groupby(user)

All countries with a connection status of deny
where(connection_status="DENY") calculate(count)

All denied outbound traffic
where(direction="OUTBOUND" AND connection_status="DENY")calculate(count)

All used outbound ports except for 443, 80, and 53, grouped by destination_port
where(connection_status="ACCEPT" AND direction="OUTBOUND" AND destination_port NOT IN ["443", "80", "53"]) groupby(destination_port)

Top outbound destinations
where(direction=OUTBOUND)groupby(destination_address)calculate(sum:outgoing_bytes)

Top inbound destinations
where(direction=INBOUND)groupby(source_address)calculate(sum:incoming_bytes)

Allowlisted countries
where(geoip_country_name IN [Czechia, Russia, "Hong Kong"] AND connection_status = ACCEPT AND direction=INBOUND)groupby(geoip_country_name)

External firewall denials by subnet
where(connection_status = DENY AND source_address NOT IN [IP(10.0.0.0/8),IP(172.27.0.0/16),IP(169.254.0.0/16),IP(192.168.0.0/16),IP(172.16.0.0/16)])

All known users with a status of deny from an IP address not listed
where(user!="unknown" AND connection_status = DENY AND source_address NOT IN [IP(10.0.0.0/8), IP(172.27.0.0/16), IP(169.254.0.0/16), IP(192.168.0.0/16), IP(172.16.0.0/16)])

All invalid connection attempts from a country that isn't the United States
where(connection_status="DENY" AND geoip_country_name!="United States") groupby(geoip_country_name) calculate(count)

All inbound denies by country
where(connection_status=DENY AND direction=INBOUND AND geoip_country_name!="United States") groupby(geoip_country_name) calculate(count)

All data transmissions greater than 50,000,000 bytes to "Box.com"
where(direction="OUTBOUND" AND outgoing_bytes>50000000 AND geoip_organization="Box.com")

All Docker traffic (RAW) received in bytes
where(stats.networks.eth0.rx_bytes!=null) calculate(average:stats.networks.eth0.rx_bytes)

Host to IP Observations

All assets that have obtained more than 5 unique IP addresses
where(action="OBTAIN")groupby(asset)calculate(unique:ip)having(unique:ip>=5)

IDS Alert

Informational alerts by signature
where(severity="INFORMATIONAL")groupby(signature)limit(1000)
Note: This query will only return 1,000 alerts.

All informational alerts with SSH signatures (regex)
where(severity="INFORMATIONAL" AND signature=/.*ssh.*/i)groupby(signature)

All low severity alerts grouped by description
where(severity="LOW")groupby(description)

All alerts grouped by severity with unique signatures
groupby(severity)calculate(unique:signature)

All high severity alerts grouped by asset with unique signatures
where(severity="HIGH")groupby(asset)calculate(unique:signature)

All critical severity alerts grouped by asset with unique signatures
where(severity="CRITICAL")groupby(asset)calculate(unique:signature)

Ingress Authentication

All events where the user logged in from a specific country

  • where(geoip_country_name="United States")calculate(count)
  • where(geoip_country_name="United States")groupby(user)calculate(count)

All users accessing the network from a specific city
where(geoip_city="San Jose")groupby(user)

All users accessing the network from a list of cities (regex)
where(geoip_city=/Providence|Framingham|Dallas|Minneapolis|Appleton|Phoenix|Omaha|Melbourne|Tuzla|Leeds|Zurich|Singapore|Toronto/i)groupby(geoip_city)

All ingress from a certain country
where(geoip_country_name="Russia")

All users accessing the network from a specific service

  • where(service="box")groupby(user)
  • where(service="o365")groupby(user)

All users accessing the network from countries other than the United States
where(geoip_country_code!="US") groupby(geoip_country_name)

All countries with successful authentication outside those listed (regex)
where(geoip_country_name AND geoip_country_name!=/United States|Canada|Mexico/i AND result=SUCCESS)groupby(geoip_country_name)limit(100)

All accounts that have ingressed into the application as stipulated by the application's ID
where(source_json.ApplicationId="[insert application ID]")groupby(account)

All successful ingress authentications by a specific service, country, and user agent
where(result=SUCCESS)groupby(service, geoip_country_name, user_agent)

All weekly Ingress Authentications from the United States, All Services - Success
where(result=SUCCESS AND geoip_country_name=""United States"")calculate(count)timeslice(1h)

All weekly CONUS Ingress Authentications, All Services - Success (regex)
where(result=/failed.*/i AND geoip_country_name=""United States"")calculate(count)timeslice(1h)

All weekly CONUS Ingress Authentications, All Services - Failure
where(result=SUCCESS AND geoip_country_name!=""United States"")calculate(count)timeslice(1d)

All weekly CONUS Ingress Authentications, All Services - Failure (regex)
where(result=/failed.*/i AND geoip_country_name!=""United States"")calculate(count)timeslice(1d)

All apps being successfully signed into
where(source_json.operationName="Sign-in activity" AND result=SUCCESS)groupby(source_json.properties.appDisplayName)

All users who attempted to sign in but failed due to the account being disabled
where(source_json.operationName="Sign-in activity" AND result=FAILED_ACCOUNT_DISABLED)groupby(user)

All sign-in risk levels
where(source_json.properties.riskLevelDuringSignIn!=none)groupby("source_json.properties.riskLevelDuringSignIn")

Azure MFA Methods Used
groupby(source_json.properties.mfaDetail.authMethod)

Azure MFA Text Message Notifications
where(source_json.properties.mfaDetail.authMethod=/Text message/i)groupby(result

Azure Mobile app Verification Code Results
where(source_json.properties.mfaDetail.authMethod=/Mobile app verification code/i)groupby(result)

All failed Azure MFA phone calls grouped by result
where(source_json.properties.mfaDetail.authMethod=/Phone call \(Authentication phone\)/i)groupby(result)

All Azure MFA OATH verification codes grouped by result
where(source_json.properties.mfaDetail.authMethod="OATH verification code")groupby(result)

Network Flow

All versions of the TLS protocol in your outbound Network Flow logs, grouped by app_protocol_description
where(direction="OUTBOUND" AND app_protocol_description ISTARTS-WITH "TLS")groupby(app_protocol_description)

SSO Authentication

All successful single-service sign-ons grouped by service
where(source_json.outcome.result=SUCCESS)groupby(service)

Third Party Alert

All high severity Third Party Alerts, grouped by the alert type and title
where(severity="High")groupby(type, title)

Unparsed Data

All CyberArk activity
groupby(header.name)

All CyberArk events by ID
groupby(header.device_event_class_id)

All activity
groupby(header.name)

All activity grouped by severity
groupby(header.severity)

Virus Alert

All event codes from Windows Defender
groupby(source_json.eventCode)

All events where malware or PUP was detected, grouped by user, asset, and file path
where(source_json.eventCode=1116)groupby(user, asset, file_path)

All risks (alerts)
groupby(risk)

All risk counts trend by day
calculate(count)timeslice(1d)

All categories and severity
groupby(source_json.Category, source_json.Severity)

All Mimecast associated risks
groupby(risk)

Web Proxy Activity

All blocked URLs counter
where(is_blocked=true)calculate(count)

All blocked URLs grouped by unique sender
where(is_blocked=true)groupby(source_json.sender)calculate(unique:source_json.sender)

Windows Event Logs

All Security event logs, grouped by event code
where(data.logName ICONTAINS "SECURITY")groupby(data.eventCode)