Basic Queries
Failed login attempts
index=security login_status=failedSuspicious network connections
index=network (src_ip=*.*.*.* AND dst_ip=malicious_IP) OR (src_ip=internal_IP AND dst_ip=external_IP)Unauthorized file access
index=files file_access_status=unauthorized user!=authorized_user_1 AND user!=authorized_user_2Abnormal system behavior
index=system (process_name=unexpected_process OR process_command_line=suspicious_command)Brute force attacks
index=security login_status=failed src_ip=*.*.*.* | stats count by src_ip | where count > 10System service disruptions
index=system (service_name=failed OR service_name=crashed)Suspicious user activity
index=system (user=* AND (file_accessed=sensitive OR command_executed=unusual))Excessive resource usage
index=system (cpu_utilization>90 OR memory_utilization>90)Potential malware infections
index=system (file_hash=known_malware OR dst_ip=malicious_IP)Unusual network traffic
Potential data exfiltration
Suspicious user accounts
Abnormal network behavior
Potential ransomware attacks
Suspicious network connections to known malicious domains
Potential remote access attempts
Potential denial of service attacks
Suspicious file modifications
Potential phishing attempts
Potential SQL injection attacks
Suspicious user login attempts
Potential unauthorized access to sensitive data
Abnormal system performance
Potential data breaches
Potential cross-site scripting attacks
Suspicious website traffic
Potential unauthorized access to web servers
Abnormal website behavior
Potential directory traversal attacks
Suspicious network connections from trusted IP addresses
Potential cryptographic attacks
Suspicious system configuration changes
Potential exploitation of vulnerabilities
Abnormal user behavior
Potential exploits of privileged accounts
Suspicious system log entries
Potential data manipulation attacks
Suspicious user accounts or devices
Potential security policy violations
Suspicious email activity
Potential privilege escalation attacks
Abnormal system log activity
Potential data leakage
Suspicious system process activity
Potential password cracking attempts
Suspicious network port activity
Potential system compromise
Abnormal user account activity
Potential security device misconfiguration
Suspicious network traffic originating from internal IP addresses
Potential unauthorized access to cloud resources
Suspicious network traffic originating from external IP addresses
Potential security vulnerabilities in installed applications
Suspicious user activity on critical systems
Potential security vulnerabilities in network devices
Suspicious network traffic to/from known malicious IP addresses
Potential security vulnerabilities in web applications
Suspicious network connections to internal resources
Potential security breaches of network perimeter defenses
Potential security breaches via compromised user accounts
Suspicious network traffic to known malicious domains
Potential unauthorized access to system resources
Potential zero-day exploits
Suspicious network traffic to known malicious IP addresses
Potential insider threats
Potential security risks associated with third-party applications
Suspicious network traffic to known malicious IP addresses
Potential security breaches involving privileged accounts
Potential security breaches in third-party applications
Suspicious user activity on mobile devices
Potential security vulnerabilities in system software
Suspicious network traffic patterns or anomalies
Last updated