QueryRange | Cybersecurity Labs, Investigations, and Detection Training

KQL Starter Patterns

Password Spray Triage

auth_events | where Action == "LoginFailed" | summarize Failed=count(), Victims=dcount(User) by SrcIp | sort by Victims desc | limit 20

Use When

You need the first pass on a suspected spray campaign and want to rank by spread before raw volume.

Do Not Use When

Do not use it as a final rule without environment-specific false-positive controls.

Expected Deliverable

Ranked source list plus threshold notes for detection hardening.

Privileged Account Failure Review

auth_events | where User startswith "admin" and Action == "LoginFailed" | project Timestamp, User, SrcIp, Location, Device | limit 50

Use When

A responder needs fast analyst-visible evidence for privileged auth failures.

Do Not Use When

Do not rely on naming pattern alone for escalation; correlate with context.

Expected Deliverable

Triage evidence table for incident note or handoff.

Beaconing Destination Shortlist

network_events | summarize Hits=count(), IntervalSpread=dcount(bin(Timestamp, 5m)) by DstDomain, SrcHost | sort by IntervalSpread desc | limit 20

Use When

You need a first-pass shortlist of periodic destinations before deeper endpoint or reputation pivots.

Do Not Use When

Do not treat periodicity alone as malicious; exclude telemetry forwarders and update services.

Expected Deliverable

Shortlist of suspicious destinations plus benign-lookalike exclusions.

OAuth Consent Review

cloud_events | where EventType == "OAuthConsentGranted" | project Timestamp, User, AppName, Publisher, Scope, SrcIp | limit 50

Use When

You need analyst-visible evidence for suspicious cloud app consent or token abuse.

Do Not Use When

Do not escalate without checking sanctioned SaaS rollout and publisher trust.

Expected Deliverable

Consent review note with revoke/block recommendation.

Endpoint LOLBin Parent/Child Chain

endpoint_events | where ParentImage in ("powershell.exe","cmd.exe","mshta.exe") | summarize Launches=count(), DistinctHosts=dcount(Device) by ParentImage, ChildImage | sort by Launches desc | limit 20

Use When

You need to surface suspicious script-host or LOLBin execution patterns before moving into process lineage review.

Do Not Use When

Do not escalate on parent-child pairs alone; account for software deployment tooling and admin automation.

Expected Deliverable

Endpoint triage shortlist with parent-child rationale and false-positive exclusions.

Outbound Transfer Triage

exfil_events | summarize Bytes=sum(BytesSent), Sessions=count(), DistinctDestinations=dcount(DstIp) by User, Device | sort by Bytes desc | limit 20

Use When

You need a first-pass ranking of suspicious outbound transfer behavior with enough context to decide whether to escalate.

Do Not Use When

Do not use it as a final exfil rule without business-process and sanctioned-transfer context.

Expected Deliverable

Escalation shortlist with preservation note and business-context questions.

SPLUNK Starter Patterns

Password Spray Triage

search index=auth action="LoginFailed" | stats count as failed dc(user) as victims by src_ip | sort - victims | head 20

Use When

You want a fast spread-first view of attacking sources on auth data.

Do Not Use When

Do not promote this directly to production without replay and false-positive review.

Expected Deliverable

Initial source ranking for detection design or investigation pivot.

Privileged Account Failure Review

search index=auth action="LoginFailed" user="admin*" | table _time user src_ip country device | head 50

Use When

You need a concise analyst output for privileged account review.

Do Not Use When

Do not assume every admin* match is malicious.

Expected Deliverable

Compact analyst evidence for handoff or escalation.

Beaconing Destination Shortlist

search index=network | stats count as hits dc(_time) as interval_spread by dest_domain src_host | sort - interval_spread | head 20

Use When

You need a quick list of periodic destinations for network beacon triage.

Do Not Use When

Do not promote without filtering patching, backup, and telemetry infrastructure.

Expected Deliverable

Suspicious destination shortlist with tuning notes.

OAuth Consent Review

search index=cloud event_type="OAuthConsentGranted" | table _time user app_name publisher scope src_ip | head 50

Use When

You need a concise cloud identity evidence table for consent-abuse review.

Do Not Use When

Do not assume every new consent event is malicious.

Expected Deliverable

Cloud identity escalation note with revoke recommendation.

Endpoint LOLBin Parent/Child Chain

search index=endpoint parent_image IN ("powershell.exe","cmd.exe","mshta.exe") | stats count as launches dc(device) as distinct_hosts by parent_image child_image | sort - launches | head 20

Use When

You need a first pass on suspicious process lineage before going deeper on command detail or device pivots.

Do Not Use When

Do not escalate lineage alone without accounting for deployment tools and maintenance scripts.

Expected Deliverable

Endpoint triage note with suspected abuse path and exclusions.

Outbound Transfer Triage

search index=exfil | stats sum(bytes_sent) as bytes count as sessions dc(dest_ip) as distinct_destinations by user device | sort - bytes | head 20

Use When

You need a ranked shortlist of potential exfil actors before deeper content or destination review.

Do Not Use When

Do not treat high byte count alone as malicious without business-process context.

Expected Deliverable

Escalation shortlist with preservation steps and follow-up questions.

How To Use This Library Correctly

Adapt a pattern to the lab or scenario instead of treating it as the finished answer.
Write down the false-positive assumptions before you promote a rule.
Convert the output into a concrete artifact: note, rule, handoff, or mitigation recommendation.

Open Labs Replay In Detection Testing Read Detection Research

Identity Calibration

Expect false positives from password resets, device re-enrollment, and shared egress. Always explain blast radius.

Network Calibration

Expect benign lookalikes from updaters, backup agents, and telemetry forwarders. Record exclusions explicitly.

Cloud Calibration

Expect sanctioned SaaS rollouts and admin maintenance noise. Tie every query back to a revoke, contain, or escalate decision.

Endpoint Calibration

Expect software deployment tooling, helpdesk scripts, and endpoint management automation. Process lineage without business context is weak evidence.

Email Calibration

Expect bulk newsletters, security awareness campaigns, and shared mailboxes. Always record why the sender or URL pattern is abnormal.

Exfiltration Calibration

Expect backup jobs, sanctioned transfer tools, and one-off project exports. Preserve business-context questions with every escalation.

Analyst Output Standard

State the suspicious behavior in one sentence.

Name the strongest false-positive lookalike.

Record the next pivot or response action.

Leave a handoff note another analyst can act on.

KQL Starter Patterns

Password Spray Triage

auth_events | where Action == "LoginFailed" | summarize Failed=count(), Victims=dcount(User) by SrcIp | sort by Victims desc | limit 20

Use When

You need the first pass on a suspected spray campaign and want to rank by spread before raw volume.

Do Not Use When

Do not use it as a final rule without environment-specific false-positive controls.

Expected Deliverable

Ranked source list plus threshold notes for detection hardening.

Privileged Account Failure Review

auth_events | where User startswith "admin" and Action == "LoginFailed" | project Timestamp, User, SrcIp, Location, Device | limit 50

Use When

A responder needs fast analyst-visible evidence for privileged auth failures.

Do Not Use When

Do not rely on naming pattern alone for escalation; correlate with context.

Expected Deliverable

Triage evidence table for incident note or handoff.

Beaconing Destination Shortlist

network_events | summarize Hits=count(), IntervalSpread=dcount(bin(Timestamp, 5m)) by DstDomain, SrcHost | sort by IntervalSpread desc | limit 20

Use When

You need a first-pass shortlist of periodic destinations before deeper endpoint or reputation pivots.

Do Not Use When

Do not treat periodicity alone as malicious; exclude telemetry forwarders and update services.

Expected Deliverable

Shortlist of suspicious destinations plus benign-lookalike exclusions.

OAuth Consent Review

cloud_events | where EventType == "OAuthConsentGranted" | project Timestamp, User, AppName, Publisher, Scope, SrcIp | limit 50

Use When

You need analyst-visible evidence for suspicious cloud app consent or token abuse.

Do Not Use When

Do not escalate without checking sanctioned SaaS rollout and publisher trust.

Expected Deliverable

Consent review note with revoke/block recommendation.

Endpoint LOLBin Parent/Child Chain

endpoint_events | where ParentImage in ("powershell.exe","cmd.exe","mshta.exe") | summarize Launches=count(), DistinctHosts=dcount(Device) by ParentImage, ChildImage | sort by Launches desc | limit 20

Use When

You need to surface suspicious script-host or LOLBin execution patterns before moving into process lineage review.

Do Not Use When

Do not escalate on parent-child pairs alone; account for software deployment tooling and admin automation.

Expected Deliverable

Endpoint triage shortlist with parent-child rationale and false-positive exclusions.

Outbound Transfer Triage

exfil_events | summarize Bytes=sum(BytesSent), Sessions=count(), DistinctDestinations=dcount(DstIp) by User, Device | sort by Bytes desc | limit 20

Use When

You need a first-pass ranking of suspicious outbound transfer behavior with enough context to decide whether to escalate.

Do Not Use When

Do not use it as a final exfil rule without business-process and sanctioned-transfer context.

Expected Deliverable

Escalation shortlist with preservation note and business-context questions.

SPLUNK Starter Patterns

Password Spray Triage

search index=auth action="LoginFailed" | stats count as failed dc(user) as victims by src_ip | sort - victims | head 20

Use When

You want a fast spread-first view of attacking sources on auth data.

Do Not Use When

Do not promote this directly to production without replay and false-positive review.

Expected Deliverable

Initial source ranking for detection design or investigation pivot.

Privileged Account Failure Review

search index=auth action="LoginFailed" user="admin*" | table _time user src_ip country device | head 50

Use When

You need a concise analyst output for privileged account review.

Do Not Use When

Do not assume every admin* match is malicious.

Expected Deliverable

Compact analyst evidence for handoff or escalation.

Beaconing Destination Shortlist

search index=network | stats count as hits dc(_time) as interval_spread by dest_domain src_host | sort - interval_spread | head 20

Use When

You need a quick list of periodic destinations for network beacon triage.

Do Not Use When

Do not promote without filtering patching, backup, and telemetry infrastructure.

Expected Deliverable

Suspicious destination shortlist with tuning notes.

OAuth Consent Review

search index=cloud event_type="OAuthConsentGranted" | table _time user app_name publisher scope src_ip | head 50

Use When

You need a concise cloud identity evidence table for consent-abuse review.

Do Not Use When

Do not assume every new consent event is malicious.

Expected Deliverable

Cloud identity escalation note with revoke recommendation.

Endpoint LOLBin Parent/Child Chain

search index=endpoint parent_image IN ("powershell.exe","cmd.exe","mshta.exe") | stats count as launches dc(device) as distinct_hosts by parent_image child_image | sort - launches | head 20

Use When

You need a first pass on suspicious process lineage before going deeper on command detail or device pivots.

Do Not Use When

Do not escalate lineage alone without accounting for deployment tools and maintenance scripts.

Expected Deliverable

Endpoint triage note with suspected abuse path and exclusions.

Outbound Transfer Triage

search index=exfil | stats sum(bytes_sent) as bytes count as sessions dc(dest_ip) as distinct_destinations by user device | sort - bytes | head 20

Use When

You need a ranked shortlist of potential exfil actors before deeper content or destination review.

Do Not Use When

Do not treat high byte count alone as malicious without business-process context.

Expected Deliverable

Escalation shortlist with preservation steps and follow-up questions.

How To Use This Library Correctly

Adapt a pattern to the lab or scenario instead of treating it as the finished answer.

Write down the false-positive assumptions before you promote a rule.

Convert the output into a concrete artifact: note, rule, handoff, or mitigation recommendation.

Reusable Patterns With Analyst Context

KQL Starter Patterns

SPLUNK Starter Patterns

How To Use This Library Correctly

Analyst Output Standard

Reusable Patterns With Analyst Context

KQL Starter Patterns

SPLUNK Starter Patterns

How To Use This Library Correctly

Analyst Output Standard