Detect Critical Environment Variable Changes over SSH with Connection Details

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Detect Critical Environment Variable Changes over SSH with Connection Details

# MITRE ATT&CK technique IDs
mitre_ids:
  - TA0003

# Description of what the query does and its purpose.
description: |
  The query identifies critical changes to critical environment variables, extracts connection details such as user, local and remote IPs and ports, and provides a direct link to the related process in Falcon Process Explorer.

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Hunting

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #event_simpleName=CriticalEnvironmentVariableChanged
  | EnvironmentVariableName =/(SSH_CONNECTION|USER)/
  | EnvironmentVariableValue=/(?<localIP>\d+\.\d+\.\d+\.\d+)\s+(?<localPort>\d+)\s+(?<remoteIP>\d+\.\d+\.\d+\.\d+)\s+(?<remotePort>\d+)$/i
  | table([@timestamp, aid, userName, remoteIP, remotePort, localIP, localPort])
  | "Process Explorer" := format("[Process Explorer](https://falcon.crowdstrike.com/investigate/process-explorer/%s/%s)", field=["aid", "ContextProcessId"])

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Critical%20Environment%20Variable%20Changed%20SSH.md)