← Back to Explore
crowdstrike_cqlHunting
External Connectons with Process
Detection Query
#event_simpleName=NetworkConnectIP4 aid=?aid ComputerName=?Computername RemoteAddressIP4=?RemoteIP
| !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8","192.168.0.0/16","172.16.0.0/12","127.0.0.0/8"])
| join({#event_simpleName=ProcessRollup2 FileName=?Processname }, field=[ContextProcessId],key=TargetProcessId, include=[FileName, UserName,ImageFileName, RemoteAddressIP4, RemotePort,CommandLine], mode=left)
| groupBy(UserName, function=collect([FileName, UserName, ImageFileName, RemoteIP, RPort, CommandLine]))
| sort([_count], order=asc)
Author
CrowdStrike
Data Sources
Endpoint
Platforms
windowslinux
Tags
Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: External Connectons with Process
# MITRE ATT&CK technique IDs
#mitre_ids:
# Description of what the query does and its purpose.
#description:
# The author or team that created the query.
author: CrowdStrike
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Endpoint
# Tags for filtering and categorization.
tags:
- Hunting
cs_required_modules:
- Insight
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#event_simpleName=NetworkConnectIP4 aid=?aid ComputerName=?Computername RemoteAddressIP4=?RemoteIP
| !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8","192.168.0.0/16","172.16.0.0/12","127.0.0.0/8"])
| join({#event_simpleName=ProcessRollup2 FileName=?Processname }, field=[ContextProcessId],key=TargetProcessId, include=[FileName, UserName,ImageFileName, RemoteAddressIP4, RemotePort,CommandLine], mode=left)
| groupBy(UserName, function=collect([FileName, UserName, ImageFileName, RemoteIP, RPort, CommandLine]))
| sort([_count], order=asc)