EXPLORE
Sign In
← Back to Explore
crowdstrike_cql

Cloud Data Exfiltration IOMs

This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.

Detection Query

| #repo=base_sensor "event-type" = "cspm_policy_*" vertex_type=ioa

// Translate numerical severity to the severity name
| case {
      policy_severity = 0 | Severity := "Critical"
    ; policy_severity = 1 | Severity := "High"
    ; policy_severity = 2 | Severity := "Medium"
    ; policy_severity = 3 | Severity := "Informational"
    ; *                   | Severity := format("Unknown (%s)", field=policy_severity)
}
| service = Identity
// Format cloud_provider
| case {
      cloud_provider = "aws"   | Provider := "AWS"
    ; cloud_provider = "azure" | Provider := "Azure"
    ; cloud_provider = "gcp"   | Provider := "GCP"
    ; *                        | Provider := upper(cloud_provider)
}

| "Attack types" := concatArray("attack_types", separator="\n")
| "Tactic and technique" := format("%s via %s", field=[mitre_attack_tactic, mitre_attack_technique])

| groupBy(
    [policy_id, Severity, Provider, cloud_service_friendly, policy_statement, policy_description, "Tactic and technique", "Attack types"]
    , limit=max
    , function=[
        count(@timestamp, distinct=true, as=Detections)
        , { max(@timestamp, as="Last detection") | "Last detection" := formatTime("%F %T %Z", field="Last detection")}
    ]
)
| "Attack types" = "Data Exfiltration"

Author

CrowdStrike

Data Sources

Cloud

Platforms

cloud

Tags

Monitoringcs_module:CSPM / ASPM / DSPM
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Cloud Data Exfiltration IOMs

# Description of what the query does and its purpose.
description: This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Cloud

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - CSPM / ASPM / DSPM

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  | #repo=base_sensor "event-type" = "cspm_policy_*" vertex_type=ioa
  
  // Translate numerical severity to the severity name
  | case {
        policy_severity = 0 | Severity := "Critical"
      ; policy_severity = 1 | Severity := "High"
      ; policy_severity = 2 | Severity := "Medium"
      ; policy_severity = 3 | Severity := "Informational"
      ; *                   | Severity := format("Unknown (%s)", field=policy_severity)
  }
  | service = Identity
  // Format cloud_provider
  | case {
        cloud_provider = "aws"   | Provider := "AWS"
      ; cloud_provider = "azure" | Provider := "Azure"
      ; cloud_provider = "gcp"   | Provider := "GCP"
      ; *                        | Provider := upper(cloud_provider)
  }
  
  | "Attack types" := concatArray("attack_types", separator="\n")
  | "Tactic and technique" := format("%s via %s", field=[mitre_attack_tactic, mitre_attack_technique])
  
  | groupBy(
      [policy_id, Severity, Provider, cloud_service_friendly, policy_statement, policy_description, "Tactic and technique", "Attack types"]
      , limit=max
      , function=[
          count(@timestamp, distinct=true, as=Detections)
          , { max(@timestamp, as="Last detection") | "Last detection" := formatTime("%F %T %Z", field="Last detection")}
      ]
  )
  | "Attack types" = "Data Exfiltration"