ag-michael · August 8, 2025 05:22 · Jul 15, 2019 · Apr 1, 2019 · Apr 1, 2019
diff --git a/FalconHuntqueries.md b/FalconHuntqueries.md
@@ -381,4 +381,15 @@ event_simpleName=ProcessRollup* AND NOT FileName IN ("gpupdate.exe","winmgmt.exe
 | rename FileName as ChildFileName
 | join  TargetProcessId_decimal    
     [search event_simpleName=ProcessRollup* FileName="powershell.exe" AND NOT CommandLine IN ("*sccm*","*gpclient*")]
-| table ComputerName FileName CommandLine ChildFileName ChildCommandLine
+| table ComputerName FileName CommandLine ChildFileName ChildCommandLine
+```
+### Look for processes and users starting powershell
+
+```
+FileName="powershell.exe" 
+|  dedup CommandLine
+| rename CommandLine as ChildCommandLine
+| join    ParentProcessId_decimal 
+    [search event_simpleName=ProcessRollup*]
+| table ComputerName UserName FileName CommandLine ChildCommandLine 
+```
diff --git a/FalconHuntqueries.md b/FalconHuntqueries.md
@@ -1,40 +1,40 @@
 
-### (timestamp convert: )
+### timestamp convert: 
 ```
 
  convert ctime(timestamp/1000)
 ```
-### (.top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer)
+### .top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer
 ```
 
 aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | stats values(ComputerName) count by DomainName| where count <4 | sort – count
 
 ```
-### (.top,.club,.xyz,.ru domain lookups ,rare domainnames and computer names deduplicated by domain name)
+### .top,.club,.xyz,.ru domain lookups ,rare domainnames and computer names deduplicated by domain name
 ```
 
 aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$" | rare DomainName,ComputerName limit=50|dedup DomainName| table DomainName,ComputerName
 
 ```
-### (.top,.club,.xyz,.ru and numeric domain lookups,rare domainnames and computer names)
+### .top,.club,.xyz,.ru and numeric domain lookups,rare domainnames and computer names
 ```
 
 aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | rare DomainName,ComputerName limit=100 | table DomainName ComputerName
 
 ```
-### (.top,.club,.xyz,.ru domain lookups rare domainnames and computer names process execution details included)
+### .top,.club,.xyz,.ru domain lookups rare domainnames and computer names process execution details included
 ```
 
 aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$" | rare DomainName,ComputerName limit=50| rename ContextProcessId as TargetProcessId|join TargetProcessId [search event_simpleName="ProcessRollup2"] | table ComputerName timestamp ImageFileName DomainName CommandLine
 
 ```
-### (dns reqeusts from non-browser processes)
+### dns reqeusts from non-browser processes
 ```
 
 event_simpleName="DnsRequest" | rename ContextProcessId as TargetProcessId | join TargetProcessId [search event_simpleName="ProcessRollup2" AND  OR NOT ImageFileName="iexplore.exe" AND NOT ImageFileName="chrome.exe" AND NOT ImageFileName="firefox.exe"] | table ComputerName timestamp ImageFileName DomainName CommandLine
 
 ```
-### (dns requests by a specific process name)
+### dns requests by a specific process name
 ```
 
 event_simpleName="DnsRequest" AND DomainName="*.*" AND NOT DomainName IN ("*.microsoft.com","*.symcb.com","*.symcd.com","*.digicert.com","*.intel.com","*.verisign.com","monitoring*.amazonaws.com","*.live.com","*.virtualearth.net")
@@ -43,7 +43,7 @@ event_simpleName="DnsRequest" AND DomainName="*.*" AND NOT DomainName IN ("*.mic
 | table ComputerName DomainName CommandLine
 
 ```
-### (dns reqeusts from unusual processes with command line and process sha256hash included)
+### dns reqeusts from unusual processes with command line and process sha256hash included
 ```
 
 event_simpleName="DnsRequest" AND DomainName="*.*" AND NOT DomainName IN ("*.adobe.com","*.bing.com","crl.thawte.com","*.youtube.com","*google.com","*rubygems.org","*microsoft.com","*hp.com","*optimizely.com","*opera.com","*boardvantage.com","*certificates.godaddy.com","*dropbox.com","*crl.godaddy.com","*verisign.com","*mcafee.com","*autodesk.com","*scansafe.net","*theice.com","*oracle.com","*microsoftonline.com","*windows.net","*yahoo.com","*ocsp.digicert.com","*ocsp.entrust.net","*ocsp.godaddy.com","*ocsp.intel.com","*ocsp.thawte.com","*live.com","*skype.com","*symcd.com","*symcb.com","*trustedsource.org","*baidu.com","*amazon.co.uk","*anotherhost.com","*boardvantage.com","*cisco.com","*googleapis.com","*intel.com","*logitech.com","*icloud.com","*apple.com","octoshape.net","*office.net") 
@@ -52,13 +52,13 @@ event_simpleName="DnsRequest" AND DomainName="*.*" AND NOT DomainName IN ("*.ado
 |  table ComputerName timestamp ImageFileName DomainName CommandLine SHA256HashData
 
 ```
-### (cscript,wscript and powershell commands with http/https urls exlcuding some domain names )
+### cscript,wscript and powershell commands with http/https urls exlcuding some domain names 
 ```
 
 event_simpleName="ProcessRollup2" AND NOT CommandLine="*site.com*" AND (CommandLine="*bitsadmin*"  OR CommandLine="*wscript*" OR CommandLine="*powershell*" OR CommandLine="*cscript*" )| regex CommandLine=".*\^.*|.*https*:\/\/.*\..*" |dedup CommandLine| table CommandLine ComputerName
 
 ```
-### (network connections to unusual ports by unusual processes )
+### network connections to unusual ports by unusual processes 
 ```
 
 event_simpleName=NetworkConnectIP4 AND NOT  RemoteAddressIP4 IN ("127.0.0.1","10.0.0.0/8","130.201.*","161.*",,"239.*","129.23*","172.*","192.168.*") AND NOT RemotePort_decimal IN (80,88,22,443,389,8081,135,445,1433) 
@@ -68,12 +68,12 @@ event_simpleName=NetworkConnectIP4 AND NOT  RemoteAddressIP4 IN ("127.0.0.1","10
 |  table ComputerName TargetProcessId_decimal timestamp ImageFileName RemotePort_decimal RemoteAddressIP4 Protocol_decimal CommandLine,SHA256HashData 
 
 ```
-### (simple domain name count search by computer (to see which computer is making the most dns lookups))
+### simple domain name count search by computer (to see which computer is making the most dns lookups)
 ```
 
 aid=* event_simpleName=DnsRequest AND NOT DomainName IN ("*mcafee.com","*windows.net","*microsoft.com","*.coupahost.com")| chart count by ComputerName limit=100
 ```
-### (  powershell/cscript/wscript started by office processes )
+###   powershell/cscript/wscript started by office processes 
 ```
 
 event_simpleName=ProcessRollup2 FileName IN ("powershell.exe","cscript.exe","wscript.exe")
@@ -85,7 +85,7 @@ event_simpleName=ProcessRollup2 FileName IN ("powershell.exe","cscript.exe","wsc
 | table ComputerName TargetProcessId_decimal ParentFileName FileName ParentCmd  ParentSHA256 
 
 ```
-### (browser processes with commandline containing suspicious extensions )
+### Browser processes with commandline containing suspicious extensions 
 ```
 
 event_simpleName="ProcessRollup*" AND FileName IN ("iexplore.exe","chrome.exe","firefox.exe") AND CommandLine IN ("*.jar*","*.exe*","*.scr*","*.vbs*","*.bat*","*.cmdline*")
@@ -97,7 +97,7 @@ event_simpleName="ProcessRollup*" AND FileName IN ("iexplore.exe","chrome.exe","
 | table ComputerName document url CommandLine 
 
 ```
-### (browsers that were started by outlook with suspICIous URLs)
+### browsers that were started by outlook with suspiCIOus URLs
 ```
 
 event_simpleName=ProcessRollup2 FileName IN ("iexplore.exe","firefox.exe","chrome.exe","opera.exe")
@@ -113,7 +113,7 @@ event_simpleName=ProcessRollup2 FileName IN ("iexplore.exe","firefox.exe","chrom
 | table ComputerName document url ParentCmd ParentFileName ParentSHA256
 
 ```
-### (commandline with .vbs and a parent outlook process)
+### commandline with .vbs and a parent outlook process
 ```
 
 event_simpleName=ProcessRollup2 AND CommandLine="*.vbs*" AND FileName IN ("iexplore.exe","firefox.exe","chrome.exe","opera.exe") 
@@ -127,7 +127,7 @@ event_simpleName=ProcessRollup2 AND CommandLine="*.vbs*" AND FileName IN ("iexpl
 | table ComputerName url ParentCmd ParentFileName ParentSHA256 
 
 ```
-### ( Data uRI hunt)
+###  DAta urI hunt
 ```
 
 event_simpleName=ProcessRollup2 AND CommandLine="*data:*" AND NOT CommandLine="*aka.ms*" AND FileName IN ("iexplore.exe","firefox.exe","chrome.exe","opera.exe") 
@@ -136,7 +136,7 @@ event_simpleName=ProcessRollup2 AND CommandLine="*data:*" AND NOT CommandLine="*
 | table _time ComputerName dataurl CommandLine 
 
 ```
-### (file written events where the target file is under a user's downloads folder)
+### file written events where the target file is under a user's downloads folder
 ```
 
 event_simpleName IN (BZip2FileWritten,DmpFileWritten,DwgFileWritten,IdwFileWritten,JarFileWritten,MachOFileWritten,NetworkCapableAsepWrite,NewEecutableWritten,NewScriptWritten,OleFileWritten,OomlFileWritten,PdfFileWritten,PeFileWritten,RarFileWritten,RtfFileWritten,SevenZipFileWritten,TarFileWritten,XarFileWritten,ZipFileWritten)  AND TargetFileName="*\Users\*\Downloads\*"  AND NOT FileName IN ("*.crdownload","*.partial")
@@ -145,14 +145,14 @@ event_simpleName IN (BZip2FileWritten,DmpFileWritten,DwgFileWritten,IdwFileWritt
 |  table ComputerName FileName TargetFileName  SHA256HashData 
 
 ```
-### (hunt for a specific powershell command pattern)
+### hunt for a specific powershell command pattern
 ```
 
 FileName IN ("cmd.exe","powershell.exe") AND CommandLine="*`*`*"  AND NOT CommandLine IN ("*Get-AppvClientPackage*")
 |  table ComputerName CommandLine
 
 ```
-### (links opened from outlook)
+### links opened from outlook
 ```
 
 aid=* event_simpleName=ProcessRollup2  FileName=outlook.exe 
@@ -170,14 +170,14 @@ aid=* event_simpleName=ProcessRollup2  FileName=outlook.exe
 |  table ComputerName UserName Parent ParentCmd FileName url CommandLine aid
 
 ```
-### ( outlook attachments)
+###  outlook attachments
 ```
 
 event_simpleName="ProcessRollup*" AND CommandLine="*content.outlook*" AND FileName IN ("*zip*","*java*","explorer.exe","*rundll32*","*powershell*","*cscript.exe*","*wscript.exe*")
 |  table ComputerName FileName CommandLine TargetFileName  SHA256HashData 
 
 ```
-### (falcon "custom" timeline suffix)
+### Falcon "custom" timeline suffix
 ```
 
 aid=*
@@ -195,7 +195,7 @@ aid=*
 
 
 ```
-### (rare commands of wmic.exe (replace with suspect exe))
+### rare commands of wmic.exe (replace with suspect exe)
 ```
 
 FileName=wmic.exe 
@@ -204,7 +204,7 @@ FileName=wmic.exe
 |  table _time ComputerName UserName CommandLine 
 
 ```
-### ( rare powershell commands)
+###  rare powershell commands
 ```
 
  FileName=powershell.exe event_simpleName=ProcessRollup* 
@@ -213,7 +213,7 @@ FileName=wmic.exe
 |  table _time ComputerName UserName CommandLine 
 
 ```
-### ( suspicious network connections by unusual processes )
+###  suspicious network connections by unusual processes 
 ```
 
 event_simpleName="NetworkConnect*" AND NOT  RemoteAddressIP4 IN ("127.0.0.0/8","10.0.0.0/8","239.*","172.16.0.0/12","192.168.0.0/16","169.254.0.0/16","23.*","13.*","52.*")
@@ -225,7 +225,7 @@ event_simpleName="NetworkConnect*" AND NOT  RemoteAddressIP4 IN ("127.0.0.0/8","
 | table count ComputerName UserName RemoteAddressIP4 RemotePort_decimal FileName CommandLine
 
 ```
-### (network connections by specific processes to specific networks)
+### Network connections by specific processes to specific networks
 ```
 
 event_simpleName="NetworkConnect*" AND   RemoteAddressIP4 IN ("127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","169.254.0.0/16","23.*","13.*","52.*","40.*")
@@ -236,7 +236,7 @@ event_simpleName="NetworkConnect*" AND   RemoteAddressIP4 IN ("127.0.0.0/8","10.
 | table  ComputerName UserName RemoteAddressIP4 FileName CommandLine
 
 ```
-### (network connections by specific processes to specific networks and specific port)
+### Network connections by specific processes to specific networks and specific port
 ```
 
 
@@ -248,7 +248,7 @@ event_simpleName="NetworkConnect*"   AND RemotePort_decimal=135 AND RemoteAddres
 | table  ComputerName UserName RemoteAddressIP4 FileName CommandLine
 
 ```
-### ( unusual executions of wscript/wmic/bitsadmin,etc... by  productivity apps)
+###  unusual executions of wscript/wmic/bitsadmin,etc... by  productivity apps
 ```
 
 event_simpleName="ProcessRollup*" AND FileName IN ("powershell.exe","wscript.exe","wmic.exe","bitsadmin.exe","certutil.exe") 
@@ -258,7 +258,7 @@ event_simpleName="ProcessRollup*" AND FileName IN ("powershell.exe","wscript.exe
 | table  ComputerName UserName RemoteAddressIP4 RemotePort_decimal FileName CommandLine
 
 ```
-### (Dns hunt for unuusal domain lookups by specific processes)
+### dNs hunt for unuusal domain lookups by specific processes
 ```
 
 event_simpleName="DnsRequest*" AND DomainName="*.*" AND NOT DomainName IN ("*.adobe.com","*.bing.com","crl.thawte.com","*.youtube.com","*google.com","*rubygems.org","*microsoft.com","*hp.com","*optimizely.com","*opera.com","*boardvantage.com","*certificates.godaddy.com","*dropbox.com","*crl.godaddy.com","*verisign.com","*mcafee.com","*autodesk.com","*scansafe.net","*theice.com","*oracle.com","*microsoftonline.com","*windows.net","*yahoo.com","*ocsp.digicert.com","*ocsp.entrust.net","*ocsp.godaddy.com","*ocsp.intel.com","*ocsp.thawte.com","*live.com","*skype.com","*symcd.com","*symcb.com","*trustedsource.org","*baidu.com","*amazon.co.uk","*anotherhost.com","*boardvantage.com","*cisco.com","*googleapis.com","*intel.com","*logitech.com","*icloud.com","*apple.com","octoshape.net","*office.net","*.sharepoint.com","*.azure.com","*knetz.net","*live.net","*.amazonaws.com","*.local","*.dll","*.microsoftonline-p.net","*.outlook.com","*.msedge.net","*.office.com","*.office365.com","*.aadrm.com","*.sci-us.com","*.svccorp.com","*.dignitymemorial.com","*.coupahost.com") 
@@ -269,23 +269,23 @@ event_simpleName="DnsRequest*" AND DomainName="*.*" AND NOT DomainName IN ("*.ad
 | table  DomainName ComputerName UserName  FileName CommandLine
 
 ```
-### ( logon hunt)
+###  logon hunt
 ```
 
 
 event_simpleName IN ("UserLogon*", "Login*") 
 |  table _time AuthenticationId_decimal AuthenticationPackage ComputerName ConfigStateHash_decimal ContextProcessId_decimal ContextThreadId_decimal ContextTimeStamp_decimal EffectiveTransmissionClass_decimal EnabledPrivilegesBitmask_decimal Entitlements_decimal LinkedAuthenticationId_decimal LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal UserFlags_decimal UserGroupsBitmask_decimal UserIsAdmin_decimal UserLogonFlags_decimal UserName UserPrincipal UserSid_readable 
 
 ```
-### ( logon hunt speciifc auth package and type)
+###  logon hunt speciifc auth package and type
 ```
 
 
 event_simpleName IN ("UserLogon*", "Login*") AND LogonType_decimal=2 AND AuthenticationPackage=NTLM
 | chart count by UserName limit=100
 
 ```
-### ( command history hunt)
+###  command history hunt
 ```
 
 event_simpleName=CommandHistory 
@@ -295,7 +295,7 @@ event_simpleName=CommandHistory
 
 
 ```
-### ( command history hunt)
+###  command history hunt
 ```
 
 
@@ -306,22 +306,22 @@ event_simpleName=CommandHistory
 
 
 ```
-### (filename versions)
+### filename versions
 ```
 
 event_simpleName=PeVersion* AND FileName="iexplore.exe" 
 | dedup SHA256HashData
 | table ComputerName SHA256HashData VersionInfo
 
 ```
-### ( connections to a specific subnet and port counted by the Remote Ip where the count is low)
+###  connections to a specific subnet and port counted by the REmote iP where the count is low
 ```
 
 RemoteAddressIP4=10.0.0.0/8 RemotePort_decimal=445 
 | stats values(LocalAddressIP4) count by RemoteAddressIP4| where count <4 | sort – count
 
 ```
-### (commandHistory)
+### CommandHistory
 ```
 
 event_simpleName=CommandHistory
@@ -331,36 +331,36 @@ event_simpleName=CommandHistory
 
 
 ```
-### ( usb enumerate)
+###  usb enumerate
 ```
 
 
 | table _time ComputerName aip event_simpleName DeviceDescriptorSetHash    DeviceDescriptorUniqueIdentifier    DeviceProtocol_decimal       DeviceUsbClass_decimal    DeviceUsbSubclass_decimal MAC     LocalAddressIP4
 
 ```
-### ( lnk on removable drive root)
+###  lnk on removable drive root
 ```
 
 LinkName="*lnk"
 | regex LinkName="[d-zD-Z]:\\\[\\w\\d -_]*\\.lnk"
 
 ```
-### ( lnk exeuction from external drives hunt)
+###  lnk exeuction from external drives hunt
 ```
 
 event_simpleName=ProcessRollup* AND LinkName="*.lnk" AND NOT FileName IN ("WINWORD.EXE","EXCEL.EXE","MSACCESS.EXE","AcroRd32.exe")| regex LinkName="[d-zD-Z]:\\\[\w\d -_]*\\.lnk"
 | table _time ComputerName LinkName FileName CommandLine
 
 ```
-### (DEV -> proD logins)
+### DEV -> prod logins
 ```
 
 event_simpleName IN ("UserLogon*", "Login*") AND UserName IN ("*svc*") AND ComputerName IN ("*prd*","*PROD*")
 | regex UserName=".*[sS][vV][cC][dDtT][Ee][vVsS].*" 
 |  table _time UserName ComputerName AuthenticationId_decimal AuthenticationPackage          LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal   UserIsAdmin_decimal   UserPrincipal UserSid_readable 
 
 ```
-### (above for any machine)
+### above for any machine
 ```
 
 event_simpleName IN ("UserLogon*", "Login*") AND UserName IN ("*svc*") 
@@ -371,7 +371,7 @@ event_simpleName IN ("UserLogon*", "Login*") AND UserName IN ("*svcdev*","*svcte
 |  table _time UserName ComputerName AuthenticationId_decimal AuthenticationPackage          LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal   UserIsAdmin_decimal   UserPrincipal UserSid_readable 
 
 ```
-### ( look for processes started by powershell  excluding specific processes and specific powershell command patterns)
+###  look for processes started by powershell  excluding specific processes and specific powershell command patterns
 ```
 
 event_simpleName=ProcessRollup* AND NOT FileName IN ("gpupdate.exe","winmgmt.exe","sc.exe","attrib.exe","reg.exe","schtasks.exe","wermgr.exe","msbuild.exe","csc.exe")

diff --git a/FalconHuntqueries.md b/FalconHuntqueries.md
@@ -0,0 +1,384 @@
+
+### (timestamp convert: )
+```
+
+ convert ctime(timestamp/1000)
+```
+### (.top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer)
+```
+
+aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | stats values(ComputerName) count by DomainName| where count <4 | sort – count
+
+```
+### (.top,.club,.xyz,.ru domain lookups ,rare domainnames and computer names deduplicated by domain name)
+```
+
+aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$" | rare DomainName,ComputerName limit=50|dedup DomainName| table DomainName,ComputerName
+
+```
+### (.top,.club,.xyz,.ru and numeric domain lookups,rare domainnames and computer names)
+```
+
+aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | rare DomainName,ComputerName limit=100 | table DomainName ComputerName
+
+```
+### (.top,.club,.xyz,.ru domain lookups rare domainnames and computer names process execution details included)
+```
+
+aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$" | rare DomainName,ComputerName limit=50| rename ContextProcessId as TargetProcessId|join TargetProcessId [search event_simpleName="ProcessRollup2"] | table ComputerName timestamp ImageFileName DomainName CommandLine
+
+```
+### (dns reqeusts from non-browser processes)
+```
+
+event_simpleName="DnsRequest" | rename ContextProcessId as TargetProcessId | join TargetProcessId [search event_simpleName="ProcessRollup2" AND  OR NOT ImageFileName="iexplore.exe" AND NOT ImageFileName="chrome.exe" AND NOT ImageFileName="firefox.exe"] | table ComputerName timestamp ImageFileName DomainName CommandLine
+
+```
+### (dns requests by a specific process name)
+```
+
+event_simpleName="DnsRequest" AND DomainName="*.*" AND NOT DomainName IN ("*.microsoft.com","*.symcb.com","*.symcd.com","*.digicert.com","*.intel.com","*.verisign.com","monitoring*.amazonaws.com","*.live.com","*.virtualearth.net")
+|  rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal [search event_simpleName="ProcessRollup2" AND  FileName IN ("WmiPrvSE.exe","cscript.exe","svchost.exe","powershell.exe")] 
+| dedup DomainName,ComputerName
+| table ComputerName DomainName CommandLine
+
+```
+### (dns reqeusts from unusual processes with command line and process sha256hash included)
+```
+
+event_simpleName="DnsRequest" AND DomainName="*.*" AND NOT DomainName IN ("*.adobe.com","*.bing.com","crl.thawte.com","*.youtube.com","*google.com","*rubygems.org","*microsoft.com","*hp.com","*optimizely.com","*opera.com","*boardvantage.com","*certificates.godaddy.com","*dropbox.com","*crl.godaddy.com","*verisign.com","*mcafee.com","*autodesk.com","*scansafe.net","*theice.com","*oracle.com","*microsoftonline.com","*windows.net","*yahoo.com","*ocsp.digicert.com","*ocsp.entrust.net","*ocsp.godaddy.com","*ocsp.intel.com","*ocsp.thawte.com","*live.com","*skype.com","*symcd.com","*symcb.com","*trustedsource.org","*baidu.com","*amazon.co.uk","*anotherhost.com","*boardvantage.com","*cisco.com","*googleapis.com","*intel.com","*logitech.com","*icloud.com","*apple.com","octoshape.net","*office.net") 
+| rename ContextProcessId_decimal as TargetProcessId_decimal
+|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2" AND NOT ImageFileName IN ("*\opera.exe" ,"*\iexplore.exe" ,"*\chrome.exe" ,"*\firefox.exe" ,"*\SearchProtocolHost.exe")] 
+|  table ComputerName timestamp ImageFileName DomainName CommandLine SHA256HashData
+
+```
+### (cscript,wscript and powershell commands with http/https urls exlcuding some domain names )
+```
+
+event_simpleName="ProcessRollup2" AND NOT CommandLine="*site.com*" AND (CommandLine="*bitsadmin*"  OR CommandLine="*wscript*" OR CommandLine="*powershell*" OR CommandLine="*cscript*" )| regex CommandLine=".*\^.*|.*https*:\/\/.*\..*" |dedup CommandLine| table CommandLine ComputerName
+
+```
+### (network connections to unusual ports by unusual processes )
+```
+
+event_simpleName=NetworkConnectIP4 AND NOT  RemoteAddressIP4 IN ("127.0.0.1","10.0.0.0/8","130.201.*","161.*",,"239.*","129.23*","172.*","192.168.*") AND NOT RemotePort_decimal IN (80,88,22,443,389,8081,135,445,1433) 
+|  rename ContextProcessId_decimal as TargetProcessId_decimal 
+|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2" AND NOT CommandLine IN ("C:\Program Files*" ,"C:\Program Files \(x86\)*","*ovdeploy*") AND NOT ImageFileName IN ("*\recline.exe","*\chrome.exe","*\iexplore.exe","*\firefox.exe","*\site_server.exe" ,"*\pmdtm.exe" ,"*\ovc.exe" ,"*\erl.exe" ,"*\hasys.exe" ,"*\rtmd.exe" ,"*\dm_agent_exec.exe" ,"*\hagrp.exe")] 
+| dedup CommandLine SHA256HashData
+|  table ComputerName TargetProcessId_decimal timestamp ImageFileName RemotePort_decimal RemoteAddressIP4 Protocol_decimal CommandLine,SHA256HashData 
+
+```
+### (simple domain name count search by computer (to see which computer is making the most dns lookups))
+```
+
+aid=* event_simpleName=DnsRequest AND NOT DomainName IN ("*mcafee.com","*windows.net","*microsoft.com","*.coupahost.com")| chart count by ComputerName limit=100
+```
+### (  powershell/cscript/wscript started by office processes )
+```
+
+event_simpleName=ProcessRollup2 FileName IN ("powershell.exe","cscript.exe","wscript.exe")
+| rename CommandLine as ParentCmd
+| rename FileName as ParentFileName
+| rename SHA256HashData as ParentSHA256
+|  dedup ParentCmd
+|  join  TargetProcessId_decimal,aid [search  FileName IN ("WINWORD.EXE","OUTLOOK.EXE","EXCEL.EXE","ACRORD*.EXE","POWERPNT.EXE") ] 
+| table ComputerName TargetProcessId_decimal ParentFileName FileName ParentCmd  ParentSHA256 
+
+```
+### (browser processes with commandline containing suspicious extensions )
+```
+
+event_simpleName="ProcessRollup*" AND FileName IN ("iexplore.exe","chrome.exe","firefox.exe") AND CommandLine IN ("*.jar*","*.exe*","*.scr*","*.vbs*","*.bat*","*.cmdline*")
+| regex CommandLine=".*/\w+\.(jar|exe|scr|vbs|bat|cmdline)[^\w\?].*"
+|  rex field=CommandLine "https?://.*/(?<document>.*\.[a-zA-Z]+)" 
+| rex field=CommandLine "(?<url>https?://.*)"
+|  dedup url
+| dedup document
+| table ComputerName document url CommandLine 
+
+```
+### (browsers that were started by outlook with suspICIous URLs)
+```
+
+event_simpleName=ProcessRollup2 FileName IN ("iexplore.exe","firefox.exe","chrome.exe","opera.exe")
+| rename CommandLine as ParentCmd
+| rename FileName as ParentFileName
+| rename SHA256HashData as ParentSHA256
+|  join max=1000 TargetProcessId [search  FileName IN ("OUTLOOK.EXE")] 
+| rex field=ParentCmd " (?<url>https?://.*)"
+| dedup url
+| search NOT url IN ("*atmgr.exe*","*mercator:*","*lync.exe*","*officeredir.microsoft.com*")
+| regex url=".*(\.exe|\.rar\|.zip|\.jar|\.vbs).*"
+|   rex field=CommandLine "https?://.*/(?<document>.*\.[a-zA-Z]+)" 
+| table ComputerName document url ParentCmd ParentFileName ParentSHA256
+
+```
+### (commandline with .vbs and a parent outlook process)
+```
+
+event_simpleName=ProcessRollup2 AND CommandLine="*.vbs*" AND FileName IN ("iexplore.exe","firefox.exe","chrome.exe","opera.exe") 
+| rename CommandLine as ParentCmd
+| rename FileName as ParentFileName
+| rename SHA256HashData as ParentSHA256
+|  join  TargetProcessId [search  FileName IN ("OUTLOOK.EXE")] 
+| rex field=ParentCmd " (?<url>https?://.*)"
+| dedup url
+| search url="*.*" AND NOT url IN ("*delldisplaymanager.com*","*mercator:*")
+| table ComputerName url ParentCmd ParentFileName ParentSHA256 
+
+```
+### ( Data uRI hunt)
+```
+
+event_simpleName=ProcessRollup2 AND CommandLine="*data:*" AND NOT CommandLine="*aka.ms*" AND FileName IN ("iexplore.exe","firefox.exe","chrome.exe","opera.exe") 
+| rex field=CommandLine "(?<dataurl>data:.*)"
+| dedup dataurl
+| table _time ComputerName dataurl CommandLine 
+
+```
+### (file written events where the target file is under a user's downloads folder)
+```
+
+event_simpleName IN (BZip2FileWritten,DmpFileWritten,DwgFileWritten,IdwFileWritten,JarFileWritten,MachOFileWritten,NetworkCapableAsepWrite,NewEecutableWritten,NewScriptWritten,OleFileWritten,OomlFileWritten,PdfFileWritten,PeFileWritten,RarFileWritten,RtfFileWritten,SevenZipFileWritten,TarFileWritten,XarFileWritten,ZipFileWritten)  AND TargetFileName="*\Users\*\Downloads\*"  AND NOT FileName IN ("*.crdownload","*.partial")
+|  dedup SHA256HashData 
+| dedup TargetFileName
+|  table ComputerName FileName TargetFileName  SHA256HashData 
+
+```
+### (hunt for a specific powershell command pattern)
+```
+
+FileName IN ("cmd.exe","powershell.exe") AND CommandLine="*`*`*"  AND NOT CommandLine IN ("*Get-AppvClientPackage*")
+|  table ComputerName CommandLine
+
+```
+### (links opened from outlook)
+```
+
+aid=* event_simpleName=ProcessRollup2  FileName=outlook.exe 
+|  dedup aid TargetProcessId_decimal 
+|  rename FileName as Parent 
+|  rename CommandLine as ParentCmd 
+|  table ComputerName aid TargetProcessId_decimal Parent ParentCmd 
+|  join max=0 aid TargetProcessId_decimal [search name=ProcessRollup* FileName=chrome.exe OR FileName=firefox.exe OR FileName=iexplore.exe  AND CommandLine="*http*"
+    |  rename ParentProcessId_decimal as TargetProcessId_decimal 
+    |  rename MD5HashData as MD5 
+    |  rename FilePath as ChildPath 
+    |  dedup aid TargetProcessId_decimal MD5 
+    |  fields aid TargetProcessId_decimal FileName CommandLine] 
+|  rex field=CommandLine "(?<url>https?://.*)"
+|  table ComputerName UserName Parent ParentCmd FileName url CommandLine aid
+
+```
+### ( outlook attachments)
+```
+
+event_simpleName="ProcessRollup*" AND CommandLine="*content.outlook*" AND FileName IN ("*zip*","*java*","explorer.exe","*rundll32*","*powershell*","*cscript.exe*","*wscript.exe*")
+|  table ComputerName FileName CommandLine TargetFileName  SHA256HashData 
+
+```
+### (falcon "custom" timeline suffix)
+```
+
+aid=*
+|rename ParentProcessId_decimal as "Parent Process ID" 
+|rename _time as Timestamp
+|rename TargetProcessId_decimal as "Process ID"
+|rename event_simpleName as "Event"
+|rename FileName as "File Loaded/Executed"
+|rename DomainName as "Domain"
+|rename RemoteAddressIP4 as DestIP
+|rename LocalAddressIP4 as LocalIP
+| rename RemotePort_decimal as RemotePort
+|rename TargetFileName as "File Accessed/Written"
+| table Timestamp "Parent Process ID" "Process ID" Event "File Loaded/Executed" CommandLine SHA256HashData Domain  "File Accessed/Written" LocalIP DestIP RemotePort UserSid_readable UserName aid 
+
+
+```
+### (rare commands of wmic.exe (replace with suspect exe))
+```
+
+FileName=wmic.exe 
+| dedup CommandLine
+|  rare limit=50 _time ComputerName UserName  by CommandLine showcount=true 
+|  table _time ComputerName UserName CommandLine 
+
+```
+### ( rare powershell commands)
+```
+
+ FileName=powershell.exe event_simpleName=ProcessRollup* 
+| dedup CommandLine 
+|  rare limit=50 _time ComputerName UserName  by CommandLine showcount=true 
+|  table _time ComputerName UserName CommandLine 
+
+```
+### ( suspicious network connections by unusual processes )
+```
+
+event_simpleName="NetworkConnect*" AND NOT  RemoteAddressIP4 IN ("127.0.0.0/8","10.0.0.0/8","239.*","172.16.0.0/12","192.168.0.0/16","169.254.0.0/16","23.*","13.*","52.*")
+|   rename ContextProcessId_decimal as TargetProcessId_decimal 
+|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2" FileName IN ("WINWORD.EXE","EXCEL.EXE","ACRORD*.EXE","WSCRIPT.EXE") AND CommandLine IN ("*:\\Users\\*\\Downloads\\*")
+    | dedup CommandLine]
+| rex field=CommandLine ".*\\\\(?<shortname>.*)"
+| dedup shortname 
+| table count ComputerName UserName RemoteAddressIP4 RemotePort_decimal FileName CommandLine
+
+```
+### (network connections by specific processes to specific networks)
+```
+
+event_simpleName="NetworkConnect*" AND   RemoteAddressIP4 IN ("127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","169.254.0.0/16","23.*","13.*","52.*","40.*")
+|   rename ContextProcessId_decimal as TargetProcessId_decimal 
+|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2"  AND FileName IN ("PSEXEC.EXE","WINRM.EXE","MSTSC.EXE")
+    ]
+| dedup UserName,RemoteAddressIP4
+| table  ComputerName UserName RemoteAddressIP4 FileName CommandLine
+
+```
+### (network connections by specific processes to specific networks and specific port)
+```
+
+
+event_simpleName="NetworkConnect*"   AND RemotePort_decimal=135 AND RemoteAddressIP4  IN ("127.0.0.0/8","10.0.0.0/8","130.201.*","161.*","149.*","239.*","129.23*","172.16.0.0/12","192.168.0.0/16","138.*","169.254.0.0/16","104.*","23.*","13.*","52.*","40.*")
+|   rename ContextProcessId_decimal as TargetProcessId_decimal 
+|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2"  AND FileName IN ("PSEXEC.EXE","WINRM.EXE","POWERSHELL.EXE","WSCRIPT.EXE")
+    ]
+| dedup UserName,RemoteAddressIP4
+| table  ComputerName UserName RemoteAddressIP4 FileName CommandLine
+
+```
+### ( unusual executions of wscript/wmic/bitsadmin,etc... by  productivity apps)
+```
+
+event_simpleName="ProcessRollup*" AND FileName IN ("powershell.exe","wscript.exe","wmic.exe","bitsadmin.exe","certutil.exe") 
+|   rename ContextProcessId_decimal as TargetProcessId_decimal 
+|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2" FileName IN ("WINWORD.EXE","EXCEL.EXE","ACRORD*.EXE","plugincontainer.exe")
+    | dedup CommandLine]
+| table  ComputerName UserName RemoteAddressIP4 RemotePort_decimal FileName CommandLine
+
+```
+### (Dns hunt for unuusal domain lookups by specific processes)
+```
+
+event_simpleName="DnsRequest*" AND DomainName="*.*" AND NOT DomainName IN ("*.adobe.com","*.bing.com","crl.thawte.com","*.youtube.com","*google.com","*rubygems.org","*microsoft.com","*hp.com","*optimizely.com","*opera.com","*boardvantage.com","*certificates.godaddy.com","*dropbox.com","*crl.godaddy.com","*verisign.com","*mcafee.com","*autodesk.com","*scansafe.net","*theice.com","*oracle.com","*microsoftonline.com","*windows.net","*yahoo.com","*ocsp.digicert.com","*ocsp.entrust.net","*ocsp.godaddy.com","*ocsp.intel.com","*ocsp.thawte.com","*live.com","*skype.com","*symcd.com","*symcb.com","*trustedsource.org","*baidu.com","*amazon.co.uk","*anotherhost.com","*boardvantage.com","*cisco.com","*googleapis.com","*intel.com","*logitech.com","*icloud.com","*apple.com","octoshape.net","*office.net","*.sharepoint.com","*.azure.com","*knetz.net","*live.net","*.amazonaws.com","*.local","*.dll","*.microsoftonline-p.net","*.outlook.com","*.msedge.net","*.office.com","*.office365.com","*.aadrm.com","*.sci-us.com","*.svccorp.com","*.dignitymemorial.com","*.coupahost.com") 
+|   rename ContextProcessId_decimal as TargetProcessId_decimal 
+|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup*" AND FileName IN ("WINWORD.EXE","EXCEL.EXE","ACRORD*.EXE","plugincontainer.exe","powershell.exe","wscript.exe","java*.exe")
+    ]
+| dedup CommandLine,DomainName
+| table  DomainName ComputerName UserName  FileName CommandLine
+
+```
+### ( logon hunt)
+```
+
+
+event_simpleName IN ("UserLogon*", "Login*") 
+|  table _time AuthenticationId_decimal AuthenticationPackage ComputerName ConfigStateHash_decimal ContextProcessId_decimal ContextThreadId_decimal ContextTimeStamp_decimal EffectiveTransmissionClass_decimal EnabledPrivilegesBitmask_decimal Entitlements_decimal LinkedAuthenticationId_decimal LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal UserFlags_decimal UserGroupsBitmask_decimal UserIsAdmin_decimal UserLogonFlags_decimal UserName UserPrincipal UserSid_readable 
+
+```
+### ( logon hunt speciifc auth package and type)
+```
+
+
+event_simpleName IN ("UserLogon*", "Login*") AND LogonType_decimal=2 AND AuthenticationPackage=NTLM
+| chart count by UserName limit=100
+
+```
+### ( command history hunt)
+```
+
+event_simpleName=CommandHistory 
+|   join aid TargetProcessId_decimal [search UserName="*"
+     ] 
+| table _time ComputerName UserName WindowsTtitle WindowsStation  LocalAddressIP4 FileName ApplicationName CommandCount_decimal CommandHistory
+
+
+```
+### ( command history hunt)
+```
+
+
+event_simpleName=CommandHistory 
+|   join aid  [search UserName="*svc*" ] 
+| table _time ComputerName UserName    LocalAddressIP4 FileName ApplicationName  CommandHistory 
+
+
+
+```
+### (filename versions)
+```
+
+event_simpleName=PeVersion* AND FileName="iexplore.exe" 
+| dedup SHA256HashData
+| table ComputerName SHA256HashData VersionInfo
+
+```
+### ( connections to a specific subnet and port counted by the Remote Ip where the count is low)
+```
+
+RemoteAddressIP4=10.0.0.0/8 RemotePort_decimal=445 
+| stats values(LocalAddressIP4) count by RemoteAddressIP4| where count <4 | sort – count
+
+```
+### (commandHistory)
+```
+
+event_simpleName=CommandHistory
+| eval Commands=split(CommandHistory,"¶")
+|    join aid  [search UserName="*" ] 
+| table _time ComputerName ApplicationName UserName CommandCount_decimal Commands CommandHistory LocalAddressIP4 aip aid
+
+
+```
+### ( usb enumerate)
+```
+
+
+| table _time ComputerName aip event_simpleName DeviceDescriptorSetHash    DeviceDescriptorUniqueIdentifier    DeviceProtocol_decimal       DeviceUsbClass_decimal    DeviceUsbSubclass_decimal MAC     LocalAddressIP4
+
+```
+### ( lnk on removable drive root)
+```
+
+LinkName="*lnk"
+| regex LinkName="[d-zD-Z]:\\\[\\w\\d -_]*\\.lnk"
+
+```
+### ( lnk exeuction from external drives hunt)
+```
+
+event_simpleName=ProcessRollup* AND LinkName="*.lnk" AND NOT FileName IN ("WINWORD.EXE","EXCEL.EXE","MSACCESS.EXE","AcroRd32.exe")| regex LinkName="[d-zD-Z]:\\\[\w\d -_]*\\.lnk"
+| table _time ComputerName LinkName FileName CommandLine
+
+```
+### (DEV -> proD logins)
+```
+
+event_simpleName IN ("UserLogon*", "Login*") AND UserName IN ("*svc*") AND ComputerName IN ("*prd*","*PROD*")
+| regex UserName=".*[sS][vV][cC][dDtT][Ee][vVsS].*" 
+|  table _time UserName ComputerName AuthenticationId_decimal AuthenticationPackage          LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal   UserIsAdmin_decimal   UserPrincipal UserSid_readable 
+
+```
+### (above for any machine)
+```
+
+event_simpleName IN ("UserLogon*", "Login*") AND UserName IN ("*svc*") 
+| regex UserName=".*[sS][vV][cC][dDtT][Ee][vVsS].*" 
+|  table _time UserName ComputerName AuthenticationId_decimal AuthenticationPackage          LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal   UserIsAdmin_decimal   UserPrincipal UserSid_readable 
+
+event_simpleName IN ("UserLogon*", "Login*") AND UserName IN ("*svcdev*","*svctes*","*svcstg*") AND ComputerName IN ("*prd*","*prod*")
+|  table _time UserName ComputerName AuthenticationId_decimal AuthenticationPackage          LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal   UserIsAdmin_decimal   UserPrincipal UserSid_readable 
+
+```
+### ( look for processes started by powershell  excluding specific processes and specific powershell command patterns)
+```
+
+event_simpleName=ProcessRollup* AND NOT FileName IN ("gpupdate.exe","winmgmt.exe","sc.exe","attrib.exe","reg.exe","schtasks.exe","wermgr.exe","msbuild.exe","csc.exe")
+| dedup CommandLine
+| rename ParentProcessId_decimal as TargetProcessId_decimal
+| rename CommandLine as ChildCommandLine
+| rename FileName as ChildFileName
+| join  TargetProcessId_decimal    
+    [search event_simpleName=ProcessRollup* FileName="powershell.exe" AND NOT CommandLine IN ("*sccm*","*gpclient*")]
+| table ComputerName FileName CommandLine ChildFileName ChildCommandLine