Falcon Query Assets Save

Welcome :pineapple:

Welcome to the Falcon Query Assets GitHub page. Here, we will publish useful queries, transforms, and tips that help CrowdStrike customers write custom hunting syntax and better leverage the Falcon telemetry stream.

Contents :bookmark_tabs:

• LogScale Tutorials.
• Event field transforms for telemetry in Event Search (FQL) and Falcon LogScale (LQL) language.
• Custom IOA Logic.
• Useful lookup tables for Event Search and Falcon LogScale.

Bugs :lady_beetle:

To report errors or corrections, please file an Issue using GitHub.

Under Contruction :construction:

This page will be perpetually under construction.

Major Release Log :shipit:

• 2023-01-03 - Updated and enhanced the LogScale Hunting and Investigations guide. Also added the LogScale Foundational Building Blocks guide.

• 2023-01-02 - Redesign of the page, along with a bunch of content to the LogScale and FLTR sections.

• 2022-10-03 - Added LogScale Hunting Guide.

• 2022-10-03 - Added hunting logic for ProxyNotShell [T1505.003].

• 2022-09-16 - Added hunting logic for Microsoft Teams Unsecured Credentials Issue [T1552.001].

• 2022-09-12 - Added hunting logic for T1087.001.

• 2022-09-08 - Added useful search functions. Added hunting and Custom IOA logic for NSLOOKUP loading a remote text file payload.

• 2022-09-07 - Git made public. First release of 85+ field transforms for Event Search and Falcon Long Term Repository. Published list of helpful lookup tables for Falcon Event Search.