Failed login attempts
Copy index=security login_status=failed Suspicious network connections
Copy index=network (src_ip=*.*.*.* AND dst_ip=malicious_IP) OR (src_ip=internal_IP AND dst_ip=external_IP) Unauthorized file access
Copy index=files file_access_status=unauthorized user!=authorized_user_1 AND user!=authorized_user_2 Abnormal system behavior
Copy index=system (process_name=unexpected_process OR process_command_line=suspicious_command) Brute force attacks
Copy index=security login_status=failed src_ip=*.*.*.* | stats count by src_ip | where count > 10 System service disruptions
Copy index=system (service_name=failed OR service_name=crashed) Suspicious user activity
Copy index=system (user=* AND (file_accessed=sensitive OR command_executed=unusual)) Excessive resource usage
Copy index=system (cpu_utilization>90 OR memory_utilization>90) Potential malware infections
Copy index=system (file_hash=known_malware OR dst_ip=malicious_IP) Unusual network traffic
Copy index=network (traffic_volume>normal OR src_ip=internal AND dst_ip=external) Potential data exfiltration
Copy index=network (file_name=sensitive AND (protocol=ftp OR protocol=http)) Suspicious user accounts
Copy index=system (user_permissions_changed=* OR user_type=admin_account_created) Abnormal network behavior
Copy index=network (traffic_volume_change>normal OR new_connection=true) Potential ransomware attacks
Copy index=system (file_encryption=true OR file_name=ransom Suspicious network connections to known malicious domains
Copy index=network dst_domain=malicious_domain Potential remote access attempts
Copy index=system (protocol=ssh OR protocol=rdp) Potential denial of service attacks
Copy index=network (traffic_volume>normal OR resource_usage>normal) Suspicious file modifications
Copy index=system (file_modified=true AND (file_type=system OR file_path=sensitive_directory)) Potential phishing attempts
Copy index=email (link=suspicious OR attachment=suspicious) Potential SQL injection attacks
Copy index=system (query_text=* OR query_syntax=suspicious) Suspicious user login attempts
Copy index=system (login_status=failed OR (username=* AND password=*)) Potential unauthorized access to sensitive data
Copy index=system (file_access=sensitive OR database_access=sensitive) AND user!=authorized_user Abnormal system performance
Copy index=system (cpu_utilization>normal OR memory_utilization>normal OR response_time>normal) Potential data breaches
Copy index=system (data_exfiltration=true OR user_account_access=unauthorized) Potential cross-site scripting attacks
Copy index=web (code_injection=true OR javascript_executed=unexpected)sp Suspicious website traffic
Copy index=web (traffic_volume_change>normal OR new_referral_source=true) Potential unauthorized access to web servers
Copy index=web (access_attempt=suspicious OR (username=* AND password=*)) Abnormal website behavior
Copy index=web (new_page_appeared=true OR error_generated=true) Potential directory traversal attacks
Copy index=web (directory_access=suspicious OR traversal_technique=used) Suspicious network connections from trusted IP addresses
Copy index=network (src_ip=trusted AND (dst_ip=external OR dst_ip=malicious)) Potential cryptographic attacks
Copy index=system (crypto_weakness=exploited OR crypto_algorithm=unexpected) Suspicious system configuration changes
Copy index=system (config_changed=true AND config_change_authorized=false) Potential exploitation of vulnerabilities
Copy index=system (vulnerability_exploited=true OR exploit_used=true) Abnormal user behavior
Copy index=system (command_executed=unexpected OR (file_accessed=unexpected AND directory_accessed=unexpected)) Potential exploits of privileged accounts
Copy index=system (account_type=privileged AND (access_authorized=false OR usage_authorized=false)) Suspicious system log entries
Copy index=system (new_log_source=true OR log_entry_type=error) Potential data manipulation attacks
Copy index=system (data_changed=true AND (data_type=database OR data_fake=true)) Suspicious user accounts or devices
Copy index=system (user_account_access=unexpected OR device_access=unexpected OR (device_type=suspicious AND software_type=suspicious)) Potential security policy violations
Copy index=system (data_access=restricted OR command_executed=unauthorized) Suspicious email activity
Copy index=email (attachment_received=suspicious OR data_sent=sensitive) Potential privilege escalation attacks
Copy index=system (privilege_level=elevated OR privilege_escalation_attempt=true) Abnormal system log activity
Copy index=system (log_deleted=true OR log_error_generated=true) Potential data leakage
Copy index=system (data_transferred=sensitive OR data_shared=unauthorized) Suspicious system process activity
Copy index=system (process_executed=unexpected OR process_arguments=unexpected) Potential password cracking attempts
Copy index=system (login_attempts=repeated AND password_attempts=different) OR (attack_technique=dictionary) Suspicious network port activity
Copy index=network (new_listening_port=true OR (protocol=unexpected AND port=known)) Potential system compromise
Copy index=system (malware_detected=true OR (program_executed=unexpected AND script_executed=unexpected)) Abnormal user account activity
Copy index=system (new_admin_account=true OR user_permissions_changed=true) Potential security device misconfiguration
Copy index=security_device (config_changed=true AND config_change_authorized=false) Suspicious network traffic originating from internal IP addresses
Copy index=network (src_ip=internal AND (dst_ip=external OR protocol=unexpected)) Potential unauthorized access to cloud resources
Copy index=cloud (access_attempt=unauthorized OR (username=* AND password=*)) Suspicious network traffic originating from external IP addresses
Copy index=network (src_ip=external AND (dst_ip=internal OR protocol=unexpected)) Potential security vulnerabilities in installed applications
Copy index=system (installed_software_vulnerability=known OR (application_outdated=true AND application_supported=false)) Suspicious user activity on critical systems
Copy index=system (command_executed=unauthorized AND system_type=critical) OR (data_accessed=sensitive AND system_type=critical) Potential security vulnerabilities in network devices
Copy index=network_device (device_vulnerability=known OR (firmware_outdated=true AND firmware_supported=false)) Suspicious network traffic to/from known malicious IP addresses
Copy index=network (src_ip=malicious OR dst_ip=malicious) AND (protocol=unexpected OR protocol=known_malicious) Potential security vulnerabilities in web applications
Copy index=web (web_application_vulnerability=known OR (web_application_outdated=true AND web_application_supported=false)) Suspicious network connections to internal resources
Copy index=network (src_ip=external AND (dst_ip=internal OR dst_resource=internal)) Potential security breaches of network perimeter defenses
Copy index=network (internal_resource_access=unauthorized OR protocol_executed=unexpected) Potential security breaches via compromised user accounts
Copy index=system (user_account_access=unauthorized OR (username=* AND password=*)) Suspicious network traffic to known malicious domains
Copy index=network (dst_domain=malicious AND domain_blacklisted=true) Potential unauthorized access to system resources
Copy index=system (file_access=sensitive OR directory_access=sensitive OR system_setting_access=sensitive) AND user!=authorized_user Potential zero-day exploits
Copy index=system (vulnerability_unknown=true OR exploit_unknown=true) Suspicious network traffic to known malicious IP addresses
Copy index=network dst_ip=malicious_IP Potential insider threats
Copy index=system (data_access=sensitive AND user_type=trusted) OR (command_executed=unauthorized AND user_type=trusted) Potential security risks associated with third-party applications
Copy index=system (third_party_application=unapproved OR third_party_application_installation_source=untrusted) Suspicious network traffic to known malicious IP addresses
Copy index=network (dst_ip=malicious OR dst_domain=malicious) Potential security breaches involving privileged accounts
Copy index=system (privileged_account_access=unauthorized OR privileged_account_permissions_changed= Potential security breaches in third-party applications
Copy index=system (third_party_software_vulnerability=known OR (application_outdated=true AND application_supported=false)) Suspicious user activity on mobile devices
Copy index=mobile (app_installed=unauthorized) OR (data_accessed=sensitive AND device_type=mobile) Potential security vulnerabilities in system software
Copy index=system (operating_system_vulnerability=known OR system_library_vulnerability=known OR (system_software_outdated=true AND system_software_supported=false)) Suspicious network traffic patterns or anomalies
Copy index=network (traffic_volume_change=unexpected OR new_protocol_detected=true) 