====== Useful CrowdStrike Logscale hunting queries ======

Some useful CrowdStrike Logscale queries for hunting malicious activity. 

===== (EDR) Documents accessed per-detection =====
<code>
ExternalApiType=Event_DetectionSummaryEvent | /DocumentsAccessed/
| split(DocumentsAccessed)
| groupBy(
field=[ComputerName, DetectId, DetectName, DetectDescription],
function=[
collect(fields=[DocumentsAccessed.FileName, DocumentsAccessed.FilePath, DocumentsAccessed.Timestamp])
]
)
</code>