← Back to Explore
crowdstrike_cql
Identify Shadow SaaS
This query identifies SaaS services supported by Falcon Shield and helps detect which SaaS products are actively used within the environment.
Detection Query
#event_simpleName=DnsRequest DomainName=*
| match(file="shadow-saas.csv", field=[DomainName], column=[Domains], strict=true,mode=glob)
| Category=?Category
| Vendor=?Vendor
| Application=?Application
| groupBy(ComputerName, Vendor, Application, Category)
Author
ByteRay GmbH
Data Sources
Endpoint
Platforms
windowslinux
Tags
Monitoringcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Identify Shadow SaaS
# MITRE ATT&CK technique IDs
mitre_ids:
- T1526
# Description of what the query does and its purpose.
description: |
This query identifies SaaS services supported by Falcon Shield and helps detect which SaaS products are actively used within the environment.
# The author or team that created the query.
author: ByteRay GmbH
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Endpoint
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Insight
# Tags for filtering and categorization.
tags:
- Monitoring
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#event_simpleName=DnsRequest DomainName=*
| match(file="shadow-saas.csv", field=[DomainName], column=[Domains], strict=true,mode=glob)
| Category=?Category
| Vendor=?Vendor
| Application=?Application
| groupBy(ComputerName, Vendor, Application, Category)