LogScale · CQL

CQL Knowledge Base

Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.

151 queries8 categories
Powered bySofistic·created bydarkreitor
K
20 queries
PAID

AD Brute Force / Password Spray (NGSIEM)

Detects accounts with multiple authentication failures in Active Directory — indicator of brute force or password spray attacks.

#event_simpleName=ActiveDirectoryAuthenticationFailure | groupBy([SourceAccountUserName, SourceEndpointHostName], function=count()) | _count > 50 | sort(_count, limit=20)
Identitysofisticngsiem
Intermediate
PAID

AD Privileged Group Membership Change

Detects additions or removals to privileged Active Directory groups such as Domain Admins or Enterprise Admins.

#event_simpleName=ActiveDirectoryAuditGroupMemberModified | groupBy([SourceAccountUserName, SourceEndpointHostName], function=count()) | _count > 3 | sort(_count, limit=20)
Identitysofisticngsiem
Intermediate
PAID

AMSI Bypass Attempt

Detects AMSI bypass attempts via PowerShell reflection or string obfuscation techniques used to evade AV/EDR scanning.

#event_simpleName=ProcessRollup2 CommandLine=/(amsiInitFailed|AmsiUtils|amsi\.dll|SetValue.*amsiContext|Reflection\.Assembly.*amsi)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | sort(_count, limit=20)
EDRsofisticdefense-evasion
Advanced
PAID

Anomalous DNS Query Volume

Identifies hosts generating abnormally high DNS query volumes, a common indicator of DNS tunneling or C2 beaconing.

#event_simpleName=DnsRequest | groupBy([ComputerName], function=[count(), collect([DomainName])]) | _count > 5000 | sort(_count, limit=20)
Networksofisticexfiltration
Intermediate
PAID

Azure NSG Rule Changes

Detects additions or modifications to Azure Network Security Group rules that may expose resources to the internet.

#event_simpleName=AzureNetworkSecurityGroupRule | groupBy([SecurityRuleName, SecurityRuleDirection, SecurityRuleAccess], function=count()) | _count > 10 | sort(_count, limit=20)
Cloudsofisticngsiem
Intermediate
PAID

Brute Force / Password Spray

Detects accounts with more than 100 type-3 (network) logon failures in 24h — indicative of brute force or password spray.

#event_simpleName=UserLogon LogonType=3 | groupBy([UserName, ComputerName], function=count()) | _count > 100 | sort(_count, limit=20)
Identitysofisticbrute-force
Intermediate
PAID

Credential Dumping Tools

Detects execution of known credential dumping tools (Mimikatz, fgdump, gsecdump, pwdump) on Windows endpoints.

#event_simpleName=ProcessRollup2 FileName=/(mimikatz|procdump|pwdump|wce|lazagne|gsecdump|secretsdump)/i | groupBy([ComputerName, UserName, FileName], function=count()) | _count > 2 | sort(_count, limit=20)
EDRsofisticcredential-access
Advanced
FREE

CSPM Policy Violations

Detects cloud security policy (CSPM) violations in Azure/GCP including public storage, missing encryption, and exposed management ports.

product_cspm=true | groupBy([#event_simpleName, azure_application_name, disposition], function=count()) | _count > 20 | sort(_count, limit=20)
Cloudsofisticngsiem
Beginner
FREE

Data Staging via Archive Tools

Detects use of compression utilities (7z, rar, zip) to package large volumes of data — a pre-exfiltration staging indicator.

#event_simpleName=ProcessRollup2 FileName=/(7z|7za|rar|winrar|zip|tar|makecab)\.exe/i CommandLine=/(\\Users\\|\\Shares\\|\\Documents\\|\\Desktop\\|-p|-r)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 3 | sort(_count, limit=20)
EDRsofisticexfiltration
Beginner
PAID

DCSync Attack Detected

Detects Directory Replication Service (DCSync) attempts used to extract password hashes from domain controllers without logging on.

#event_simpleName=DCSyncAttempted | groupBy([SourceAccountUserName, SourceEndpointHostName], function=count()) | _count > 5 | sort(_count, limit=20)
Identitysofisticngsiem
Advanced
PAID

DNS Exfiltration Indicators

Detects DNS queries with abnormally long subdomains (80+ chars) — indicator of DNS tunneling used for C2 or data exfiltration.

#event_simpleName=DnsRequest | DomainName=/.{80,}/ | groupBy([ComputerName, DomainName], function=count()) | _count > 3 | sort(_count, limit=20)
Networksofisticexfiltration
Intermediate
PAID

LSASS Memory Access

Detects direct access to LSASS process memory — a common technique for credential extraction via tools like Mimikatz or ProcDump.

#event_simpleName=ProcessRollup2 CommandLine=*lsass* FileName!=lsass.exe | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 2 | sort(_count, limit=20)
EDRsofisticcredential-access
Advanced
FREE

Network Share Enumeration

Detects mass network share enumeration via net view, net share, or similar tools indicative of lateral movement preparation.

#event_simpleName=ProcessRollup2 CommandLine=/(net\s+view|net\s+share|Invoke-ShareFinder|Get-NetShare|Get-DFSshare)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 5 | sort(_count, limit=20)
Threat Huntingsofisticdiscovery
Beginner
PAID

Pass-the-Hash / Overpass-the-Hash

Detects Pass-the-Hash techniques via sekurlsa, pth-winexe, Rubeus, or similar tools that abuse NTLM hashes for authentication.

#event_simpleName=ProcessRollup2 CommandLine=/(sekurlsa|pth-winexe|Invoke-SMBExec|Invoke-TheHash|Invoke-WMIExec|Overpass-the-Hash|rubeus.*ptt|rubeus.*asktgt)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | sort(_count, limit=20)
EDRsofisticlateral-movement
Advanced
PAID

PowerShell Download Cradle

Detects PowerShell downloading payloads via IEX, Invoke-WebRequest, Net.WebClient, or similar download cradle patterns.

#event_simpleName=ProcessRollup2 FileName=/(powershell|pwsh)\.exe/i CommandLine=/(IEX|Invoke-Expression|Net\.WebClient|DownloadString|DownloadFile|Invoke-WebRequest|Start-BitsTransfer|wget\s|curl\s)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 2 | sort(_count, limit=20)
EDRsofisticexecution
Intermediate
PAID

PowerShell Encoded Commands

Detects PowerShell execution with Base64-encoded commands (-enc, -encodedcommand) commonly used to evade AV/EDR detection.

#event_simpleName=ProcessRollup2 FileName=/(powershell|pwsh)\.exe/i CommandLine=/(\-enc|\-encodedcommand|\-e\s)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 5 | sort(_count, limit=20)
EDRsofisticexecution
Intermediate
PAID

Process Injection Indicators

Detects process injection techniques and tools via command-line indicators (OpenProcess, WriteProcessMemory, CreateRemoteThread).

#event_simpleName=ProcessRollup2 CommandLine=/(Invoke-ReflectivePEInjection|Inject-Shellcode|VirtualAllocEx|WriteProcessMemory|CreateRemoteThread|NtMapViewOfSection|QueueUserAPC)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | sort(_count, limit=20)
EDRsofisticdefense-evasion
Advanced
PAID

PsExec / Remote Service Execution

Detects PsExec and similar remote service execution tools used for lateral movement across Windows environments.

#event_simpleName=ProcessRollup2 FileName=/(psexec|psexesvc|paexec|remcom|csexec)\.exe/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 3 | sort(_count, limit=20)
EDRsofisticlateral-movement
Intermediate
PAID

RDP Lateral Movement Burst

Detects multiple RDP sessions (logon type 10) from the same user to different hosts in a short window — lateral movement indicator.

#event_simpleName=UserLogon LogonType=10 | groupBy([UserName], function=[count(), collect([ComputerName])]) | _count > 5 | sort(_count, limit=20)
EDRsofisticlateral-movement
Intermediate
FREE

Reconnaissance Commands Burst

Detects bursts of reconnaissance commands (whoami, net, ipconfig, systeminfo, nltest) from a single process — a post-exploitation indicator.

#event_simpleName=ProcessRollup2 FileName=/(whoami|net|net1|ipconfig|systeminfo|nltest|dsquery|cmdkey|klist|nslookup)\.exe/i | groupBy([ComputerName, UserName], function=count()) | _count > 15 | sort(_count, limit=20)
Threat Huntingsofisticdiscovery
Beginner