Useful CrowdStrike Logscale hunting queries

Some useful CrowdStrike Logscale queries for hunting malicious activity.

(EDR) Documents accessed per-detection

ExternalApiType=Event_DetectionSummaryEvent | /DocumentsAccessed/
| split(DocumentsAccessed)
| groupBy(
field=[ComputerName, DetectId, DetectName, DetectDescription],
function=[
collect(fields=[DocumentsAccessed.FileName, DocumentsAccessed.FilePath, DocumentsAccessed.Timestamp])
]
)

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

More information

hushlabs wiki

User Tools

Useful CrowdStrike Logscale hunting queries

(EDR) Documents accessed per-detection