Example Queries

All failed authentication activity, grouped by destination_user

• where(result AND result != SUCCESS) groupby(destination_user) calculate(count)
• where(result ISTARTS-WITH "FAILED") groupby(destination_user) calculate(count)

All users who completed an admin action
groupby(source_user)

All admin actions
groupby(action)

All activity taken by a specific user

• where(source_user="Arnold Holt")
  
  • Case-insensitive: where(source_user=NOCASE("arnold holt"))
    
• where(source_user="Tina Gonzales (Admin)")
  
  • Case-insensitive: where(source_user=NOCASE("tina gonzales (admin)"))
    
• where(source_user="rrn:uba:us:14f8eba8-46c8-474b-a982-29476e7a8bd8:user:JA5G9PI3PC9M")

All users with “admin” in their user name

• where(source_user ICONTAINS admin)groupby(source_user)
  
• where(source_user ICONTAINS admin)groupby(action)
  Note: These return case insensitive results.

All groups that a user was added to by someone with “admin” in their name
where(source_user ICONTAINS admin AND action=MEMBER_ADDED_TO_SECURITY_GROUP) groupby(group)

All users added to a particular group
where(action="MEMBER_ADDED_TO_SECURITY_GROUP" AND group="vpn-users")groupby(target_user)

Accounts that added users to groups
where(action="MEMBER_ADDED_TO_SECURITY_GROUP")groupby(source_user)

Accounts (DN display) that had their privileges escalated, to what group, by whom, on what day/time
where(target_account NOT ICONTAINS "$" AND action=PRIVILEGE_ESCALATION)groupby(target_account, group, source_user, timestamp)

Group changes made to a certain group
where(action IN [MEMBER_ADDED_TO_SECURITY_GROUP, MEMBER_REMOVED_FROM_SECURITY_GROUP]AND group CONTAINS -job-admins)
Note: Replace /*.-job-admins/ with the appropriate group name

Admin account created by host (regex)
where(/:\d{2} (?P<host>\w+)./ AND /4732 EVENT/ OR /\s636 EVENT/) groupby(host)

Accounts locked out by host (regex)
where(/:\d{2} (?P<host>\w+)./ AND /4740 EVENT/ OR /\s644 EVENT/) groupby(host)

Audit Log cleared by Host (regex)
where(/:\d{2} (?P<host>\w+)./ AND /1102 EVENT/ OR /\s517 EVENT/) groupby(host)

Audit Policy Changed (regex)
where(/4719 EVENT/ OR /\s612 EVENT/)

These queries only work with Microsoft Logs.

All Microsoft Event IDs for collected events (regex)

• where(/eventCode\\":(?P<EVID>\d{4})/) groupby(EVID)
• where(/eventCode\\":\\"(?P<EVID>\d{4})/)groupby(EVID)

All hosts that logs have been collected from (regex)
where(/computerName\\":\\"(?P<HostName>[\w\d\-]*)/)groupby(HostName)

All "MALICIOUS" Advanced Malware Alerts, grouped by assets that have 5 or more alerts
where(severity ICONTAINS "MALICIOUS")groupby(asset)having(count>=5)

All authentication types
groupby(logon_type)

All authentication results
groupby(result)

All failed authentication activity
where(result AND result != SUCCESS) groupby(destination_user) calculate(count)

All failed authentication activity
where(result starts-with "failed") groupby(destination_user) calculate(count)

All failed Logins by IP (regex)
where(/(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) groupby(ip) calculate(count)

All failed Non-Kerberos logins
where(service NOT IIN ["krbtgt", "kerberos"] AND result ISTARTS-WITH "failed") groupby(destination_account)

All Non-Kerberos logins by destination asset
where(service NOT IN [krbtgt, kerberos]AND result="FAILED_BAD_PASSWORD")groupby("destination_asset")

All accounts attempting to authenticate that failed
where(result ISTARTS-WITH "FAILED")groupby(destination_user)
Note: If no results are returned, try the destination_account key.

All invalid logins (regex)
where(/4625 EVENT/ OR /\s529 EVENT/)

All invalid logins by host (regex)
where(/:\d{2} (?P<host>\w+)./ AND /4625 EVENT/ OR /\s529 EVENT/) groupby(host)

All Microsoft event IDs for collected events (regex)

• where(/eventCode\\":(?P<EVID>\d{4})/) groupby(EVID)
• where(/eventCode\\":\\"(?P<EVID>\d{4})/)groupby(EVID)

All hosts that logs have been collected from (regex)
where(/computerName\\":\\"(?P<HostName>[\w\d\-]*)/)groupby(HostName)

All investigation activity performed from within the InsightIDR Platform, grouped by action
where(access_method="web")groupby(action)

All analysts who have closed an investigation, grouped by their user name
where(action="INVESTIGATION_CLOSED")groupby(request.user.name)

Manually created investigations, grouped by alert name
where(service_info.investigation_type="MANUAL")groupby(service_info.investigation_name)limit(1000)
Note: This query will only return 1,000 alerts.

All instances where data has been added to an investigation, grouped by investigation type and the data types
where(action="INVESTIGATION_DATA_ADDED")groupby(service_info.investigation_type, service_info.data_type)

All Cloud Service Workloads and actions performed
groupby(source_json.Workload, action)

Top 10 users with the most Office365 activity
groupby(source_user)calculate(count)limit(10)

Office365 guest account creations and who created them (regex)
where(action=CREATE_USER AND target_user=/.*\#EXT\#.*/i) groupby(source_user, target_user)

Office365 guest account areas of activity (regex)
where(source_user=/.*\#EXT\#.*/i)groupby(source_json.Workload)

Office365 guest account SharePoint actions (regex)
where(source_user=/.*\#EXT\#.*/i AND source_json.Workload=SharePoint)groupby(action)

Office365 guest account OneDrive files downloaded or accessed (regex)
where(source_user=/.*\#EXT\#.*/i AND source_json.Workload=OneDrive AND action=/FileDownloaded|FileAccessed/)groupby(action, source_json.SourceFileName)

Office365 guest account Team Sessions started (regex)
where(source_user=/.*\#EXT\#.*/i AND source_json.Workload=MicrosoftTeams AND action=/TeamsSessionStarted/i)groupby(source_user)

All websites visited by users outside of .com, .net, and .org domains
where(public_suffix AND public_suffix NOT IN [com, net, org])groupby(public_suffix)

All websites in Russia visited by users
where(public_suffix="ru")groupby(query)

All users who have accessed a website, and how many times (regex)
where(/facebook/ AND user!="unknown")calculate(count)

All users who have accessed Dropbox (regex)
where(/dropbox/ AND user!="unknown")groupby(user)

All users who have accessed Facebook (RegEx)
where(/facebook/ AND user!="unknown")groupby(user)

All child Powershell process command lines that are not empty or only running a ps1 script
where(process.name=/powershell.exe/i AND process.cmd_line NOT IN ["null", /.*ps1.*/i])groupby(process.cmd_line)

All processes by file descriptions
groupby(process.exe_file.description)

All process reputations
groupby(process.hash_reputation.reputation)

All command lines showing the taskkill.exe process
where(process.name=NOCASE(taskkill.exe)) groupby(process.cmd_line)

All processes, hostnames, and users running programs for SSH and/or Telnet
where(process.exe_file.description icontains-any ["ssh", "telnet"]) groupby(process.name, hostname, process.username)

All hosts on a particular domain
where(domain=<insert domain>)groupby(hostname)calculate(unique:hostname)

All hosts and last logged in user on a particular domain
where(domain=<insert domain>)groupby(hostname, lastLoggedInUser)

All non-domain joined assets by platform
where(domain="null")groupby(platform)calculate(unique:hostname)

All endpoints running 2 jobs and what those jobs are
where(numRunningJobs=2)groupby(hostname, running_jobs.0.job, running_jobs.1.job)

All Windows endpoints with very high system memory usage (not from the agent)
where(platform=windows AND agentSystemMemoryUsageMetrics.memoryUsagePercentage>90)groupby(hostname)calculate(unique:hostname)

All files accessed by a specific user
where(user="Pete Coors")groupby(file_name)

All users who accessed a specific file
where(file_name="audit.csv")groupby(user)

Top 20 known users accessing Safebrowsing
where(query="safebrowsing.google.com" AND user!="unknown")groupby(user)limit(20)

The following queries only work with Microsoft Logs.

All Microsoft event IDs for collected events (regex)

• where(/eventCode\\":(?P<EVID>\d{4})/) groupby(EVID)
• where(/eventCode\\":\\"(?P<EVID>\d{4})/)groupby(EVID)

All hosts that logs have been collected from (regex)
where(/computerName\\":\\"(?P<HostName>[\w\d\-]*)/)groupby(HostName)

All log entries where any of the three File Integrity Monitoring events are logged
where(file_event="delete" OR "write" OR "modify") calculate(count)

All countries that users have downloaded data from
where(incoming_bytes>0 AND geoip_country_code NOT IN [US, IE, GB, DE, JP, CA, AU])groupby(geoip_country_code)
Note: The list of excluded countries should be modified as needed.

All firewall traffic from countries other than the United States
where(geoip_country_name!="United States")groupby(geoip_country_name)

A count of all firewall logs
calculate(count)
Note: This query is useful to see trends in the amount of logs collected.

Top 10 external systems (outside of the United States) receiving the most data
where(direction=OUTBOUND AND geoip_country_code!=US)groupby(destination_address)calculate(sum:outgoing_bytes)limit(10)

Top 10 internal systems receiving the most data
where(direction=INBOUND)groupby(destination_address)calculate(sum:incoming_bytes)limit(10)

All users accessing a particular destination
where(direction="OUTBOUND" AND destination_address="52.205.169.150")groupby(user)

All countries with a connection status of deny
where(connection_status="DENY") calculate(count)

All denied outbound traffic
where(direction="OUTBOUND" AND connection_status="DENY")calculate(count)

All used outbound ports except for 443, 80, and 53, grouped by destination_port
where(connection_status="ACCEPT" AND direction="OUTBOUND" AND destination_port NOT IN ["443", "80", "53"]) groupby(destination_port)

Top outbound destinations
where(direction=OUTBOUND)groupby(destination_address)calculate(sum:outgoing_bytes)

Top inbound destinations
where(direction=INBOUND)groupby(source_address)calculate(sum:incoming_bytes)

Allowlisted countries
where(geoip_country_name IN [Czechia, Russia, "Hong Kong"] AND connection_status = ACCEPT AND direction=INBOUND)groupby(geoip_country_name)

External firewall denials by subnet
where(connection_status = DENY AND source_address NOT IN [IP(10.0.0.0/8),IP(172.27.0.0/16),IP(169.254.0.0/16),IP(192.168.0.0/16),IP(172.16.0.0/16)])

All known users with a status of deny from an IP address not listed
where(user!="unknown" AND connection_status = DENY AND source_address NOT IN [IP(10.0.0.0/8), IP(172.27.0.0/16), IP(169.254.0.0/16), IP(192.168.0.0/16), IP(172.16.0.0/16)])

All invalid connection attempts from a country that isn't the United States
where(connection_status="DENY" AND geoip_country_name!="United States") groupby(geoip_country_name) calculate(count)

All inbound denies by country
where(connection_status=DENY AND direction=INBOUND AND geoip_country_name!="United States") groupby(geoip_country_name) calculate(count)

All data transmissions greater than 50,000,000 bytes to "Box.com"
where(direction="OUTBOUND" AND outgoing_bytes>50000000 AND geoip_organization="Box.com")

All Docker traffic (RAW) received in bytes
where(stats.networks.eth0.rx_bytes!=null) calculate(average:stats.networks.eth0.rx_bytes)

All assets that have obtained more than 5 unique IP addresses
where(action="OBTAIN")groupby(asset)calculate(unique:ip)having(unique:ip>=5)

Informational alerts by signature
where(severity="INFORMATIONAL")groupby(signature)limit(1000)
Note: This query will only return 1,000 alerts.

All informational alerts with SSH signatures (regex)
where(severity="INFORMATIONAL" AND signature=/.*ssh.*/i)groupby(signature)

All low severity alerts grouped by description
where(severity="LOW")groupby(description)

All alerts grouped by severity with unique signatures
groupby(severity)calculate(unique:signature)

All high severity alerts grouped by asset with unique signatures
where(severity="HIGH")groupby(asset)calculate(unique:signature)

All critical severity alerts grouped by asset with unique signatures
where(severity="CRITICAL")groupby(asset)calculate(unique:signature)

All events where the user logged in from a specific country

• where(geoip_country_name="United States")calculate(count)
• where(geoip_country_name="United States")groupby(user)calculate(count)

All users accessing the network from a specific city
where(geoip_city="San Jose")groupby(user)

All users accessing the network from a list of cities (regex)
where(geoip_city=/Providence|Framingham|Dallas|Minneapolis|Appleton|Phoenix|Omaha|Melbourne|Tuzla|Leeds|Zurich|Singapore|Toronto/i)groupby(geoip_city)

All ingress from a certain country
where(geoip_country_name="Russia")

All users accessing the network from a specific service

• where(service="box")groupby(user)
• where(service="o365")groupby(user)

All users accessing the network from countries other than the United States
where(geoip_country_code!="US") groupby(geoip_country_name)

All countries with successful authentication outside those listed (regex)
where(geoip_country_name AND geoip_country_name!=/United States|Canada|Mexico/i AND result=SUCCESS)groupby(geoip_country_name)limit(100)

All accounts that have ingressed into the application as stipulated by the application's ID
where(source_json.ApplicationId="[insert application ID]")groupby(account)

All successful ingress authentications by a specific service, country, and user agent
where(result=SUCCESS)groupby(service, geoip_country_name, user_agent)

All weekly Ingress Authentications from the United States, All Services - Success
where(result=SUCCESS AND geoip_country_name=""United States"")calculate(count)timeslice(1h)

All weekly CONUS Ingress Authentications, All Services - Success (regex)
where(result=/failed.*/i AND geoip_country_name=""United States"")calculate(count)timeslice(1h)

All weekly CONUS Ingress Authentications, All Services - Failure
where(result=SUCCESS AND geoip_country_name!=""United States"")calculate(count)timeslice(1d)

All weekly CONUS Ingress Authentications, All Services - Failure (regex)
where(result=/failed.*/i AND geoip_country_name!=""United States"")calculate(count)timeslice(1d)

All apps being successfully signed into
where(source_json.operationName="Sign-in activity" AND result=SUCCESS)groupby(source_json.properties.appDisplayName)

All users who attempted to sign in but failed due to the account being disabled
where(source_json.operationName="Sign-in activity" AND result=FAILED_ACCOUNT_DISABLED)groupby(user)

All sign-in risk levels
where(source_json.properties.riskLevelDuringSignIn!=none)groupby("source_json.properties.riskLevelDuringSignIn")

Azure MFA Methods Used
groupby(source_json.properties.mfaDetail.authMethod)

Azure MFA Text Message Notifications
where(source_json.properties.mfaDetail.authMethod=/Text message/i)groupby(result

Azure Mobile app Verification Code Results
where(source_json.properties.mfaDetail.authMethod=/Mobile app verification code/i)groupby(result)

All failed Azure MFA phone calls grouped by result
where(source_json.properties.mfaDetail.authMethod=/Phone call \(Authentication phone\)/i)groupby(result)

All Azure MFA OATH verification codes grouped by result
where(source_json.properties.mfaDetail.authMethod="OATH verification code")groupby(result)

All versions of the TLS protocol in your outbound Network Flow logs, grouped by app_protocol_description
where(direction="OUTBOUND" AND app_protocol_description ISTARTS-WITH "TLS")groupby(app_protocol_description)

All successful single-service sign-ons grouped by service
where(source_json.outcome.result=SUCCESS)groupby(service)

All high severity Third Party Alerts, grouped by the alert type and title
where(severity="High")groupby(type, title)

All CyberArk activity
groupby(header.name)

All CyberArk events by ID
groupby(header.device_event_class_id)

All activity
groupby(header.name)

All activity grouped by severity
groupby(header.severity)

All event codes from Windows Defender
groupby(source_json.eventCode)

All events where malware or PUP was detected, grouped by user, asset, and file path
where(source_json.eventCode=1116)groupby(user, asset, file_path)

All risks (alerts)
groupby(risk)

All risk counts trend by day
calculate(count)timeslice(1d)

All categories and severity
groupby(source_json.Category, source_json.Severity)

All Mimecast associated risks
groupby(risk)

All blocked URLs counter
where(is_blocked=true)calculate(count)

All blocked URLs grouped by unique sender
where(is_blocked=true)groupby(source_json.sender)calculate(unique:source_json.sender)

All Security event logs, grouped by event code
where(data.logName ICONTAINS "SECURITY")groupby(data.eventCode)