Basic Queries
Failed login attempts
index=security login_status=failedSuspicious network connections
index=network (src_ip=*.*.*.* AND dst_ip=malicious_IP) OR (src_ip=internal_IP AND dst_ip=external_IP)Unauthorized file access
index=files file_access_status=unauthorized user!=authorized_user_1 AND user!=authorized_user_2Abnormal system behavior
index=system (process_name=unexpected_process OR process_command_line=suspicious_command)Brute force attacks
index=security login_status=failed src_ip=*.*.*.* | stats count by src_ip | where count > 10System service disruptions
index=system (service_name=failed OR service_name=crashed)Suspicious user activity
index=system (user=* AND (file_accessed=sensitive OR command_executed=unusual))Excessive resource usage
index=system (cpu_utilization>90 OR memory_utilization>90)Potential malware infections
index=system (file_hash=known_malware OR dst_ip=malicious_IP)Unusual network traffic
index=network (traffic_volume>normal OR src_ip=internal AND dst_ip=external)Potential data exfiltration
index=network (file_name=sensitive AND (protocol=ftp OR protocol=http))Suspicious user accounts
index=system (user_permissions_changed=* OR user_type=admin_account_created)Abnormal network behavior
index=network (traffic_volume_change>normal OR new_connection=true)Potential ransomware attacks
index=system (file_encryption=true OR file_name=ransomSuspicious network connections to known malicious domains
index=network dst_domain=malicious_domainPotential remote access attempts
index=system (protocol=ssh OR protocol=rdp)Potential denial of service attacks
index=network (traffic_volume>normal OR resource_usage>normal)Suspicious file modifications
index=system (file_modified=true AND (file_type=system OR file_path=sensitive_directory))Potential phishing attempts
index=email (link=suspicious OR attachment=suspicious)Potential SQL injection attacks
index=system (query_text=* OR query_syntax=suspicious)Suspicious user login attempts
index=system (login_status=failed OR (username=* AND password=*))Potential unauthorized access to sensitive data
index=system (file_access=sensitive OR database_access=sensitive) AND user!=authorized_userAbnormal system performance
index=system (cpu_utilization>normal OR memory_utilization>normal OR response_time>normal)Potential data breaches
index=system (data_exfiltration=true OR user_account_access=unauthorized)Potential cross-site scripting attacks
index=web (code_injection=true OR javascript_executed=unexpected)spSuspicious website traffic
index=web (traffic_volume_change>normal OR new_referral_source=true)Potential unauthorized access to web servers
index=web (access_attempt=suspicious OR (username=* AND password=*))Abnormal website behavior
index=web (new_page_appeared=true OR error_generated=true)Potential directory traversal attacks
index=web (directory_access=suspicious OR traversal_technique=used)Suspicious network connections from trusted IP addresses
index=network (src_ip=trusted AND (dst_ip=external OR dst_ip=malicious))Potential cryptographic attacks
index=system (crypto_weakness=exploited OR crypto_algorithm=unexpected)Suspicious system configuration changes
index=system (config_changed=true AND config_change_authorized=false)Potential exploitation of vulnerabilities
index=system (vulnerability_exploited=true OR exploit_used=true)Abnormal user behavior
index=system (command_executed=unexpected OR (file_accessed=unexpected AND directory_accessed=unexpected))Potential exploits of privileged accounts
index=system (account_type=privileged AND (access_authorized=false OR usage_authorized=false))Suspicious system log entries
index=system (new_log_source=true OR log_entry_type=error)Potential data manipulation attacks
index=system (data_changed=true AND (data_type=database OR data_fake=true))Suspicious user accounts or devices
index=system (user_account_access=unexpected OR device_access=unexpected OR (device_type=suspicious AND software_type=suspicious))Potential security policy violations
index=system (data_access=restricted OR command_executed=unauthorized)Suspicious email activity
index=email (attachment_received=suspicious OR data_sent=sensitive)Potential privilege escalation attacks
index=system (privilege_level=elevated OR privilege_escalation_attempt=true)Abnormal system log activity
index=system (log_deleted=true OR log_error_generated=true)Potential data leakage
index=system (data_transferred=sensitive OR data_shared=unauthorized)Suspicious system process activity
index=system (process_executed=unexpected OR process_arguments=unexpected)Potential password cracking attempts
index=system (login_attempts=repeated AND password_attempts=different) OR (attack_technique=dictionary)Suspicious network port activity
index=network (new_listening_port=true OR (protocol=unexpected AND port=known))Potential system compromise
index=system (malware_detected=true OR (program_executed=unexpected AND script_executed=unexpected))Abnormal user account activity
index=system (new_admin_account=true OR user_permissions_changed=true)Potential security device misconfiguration
index=security_device (config_changed=true AND config_change_authorized=false)Suspicious network traffic originating from internal IP addresses
index=network (src_ip=internal AND (dst_ip=external OR protocol=unexpected))Potential unauthorized access to cloud resources
index=cloud (access_attempt=unauthorized OR (username=* AND password=*))Suspicious network traffic originating from external IP addresses
index=network (src_ip=external AND (dst_ip=internal OR protocol=unexpected))Potential security vulnerabilities in installed applications
index=system (installed_software_vulnerability=known OR (application_outdated=true AND application_supported=false))Suspicious user activity on critical systems
index=system (command_executed=unauthorized AND system_type=critical) OR (data_accessed=sensitive AND system_type=critical)Potential security vulnerabilities in network devices
index=network_device (device_vulnerability=known OR (firmware_outdated=true AND firmware_supported=false))Suspicious network traffic to/from known malicious IP addresses
index=network (src_ip=malicious OR dst_ip=malicious) AND (protocol=unexpected OR protocol=known_malicious)Potential security vulnerabilities in web applications
index=web (web_application_vulnerability=known OR (web_application_outdated=true AND web_application_supported=false))Suspicious network connections to internal resources
index=network (src_ip=external AND (dst_ip=internal OR dst_resource=internal))Potential security breaches of network perimeter defenses
index=network (internal_resource_access=unauthorized OR protocol_executed=unexpected)Potential security breaches via compromised user accounts
index=system (user_account_access=unauthorized OR (username=* AND password=*))Suspicious network traffic to known malicious domains
index=network (dst_domain=malicious AND domain_blacklisted=true)Potential unauthorized access to system resources
index=system (file_access=sensitive OR directory_access=sensitive OR system_setting_access=sensitive) AND user!=authorized_userPotential zero-day exploits
index=system (vulnerability_unknown=true OR exploit_unknown=true)Suspicious network traffic to known malicious IP addresses
index=network dst_ip=malicious_IPPotential insider threats
index=system (data_access=sensitive AND user_type=trusted) OR (command_executed=unauthorized AND user_type=trusted)Potential security risks associated with third-party applications
index=system (third_party_application=unapproved OR third_party_application_installation_source=untrusted)Suspicious network traffic to known malicious IP addresses
index=network (dst_ip=malicious OR dst_domain=malicious)Potential security breaches involving privileged accounts
index=system (privileged_account_access=unauthorized OR privileged_account_permissions_changed=Potential security breaches in third-party applications
index=system (third_party_software_vulnerability=known OR (application_outdated=true AND application_supported=false))Suspicious user activity on mobile devices
index=mobile (app_installed=unauthorized) OR (data_accessed=sensitive AND device_type=mobile)Potential security vulnerabilities in system software
index=system (operating_system_vulnerability=known OR system_library_vulnerability=known OR (system_software_outdated=true AND system_software_supported=false))Suspicious network traffic patterns or anomalies
index=network (traffic_volume_change=unexpected OR new_protocol_detected=true)Last updated