# SPL Query Pack — DFIR Assist # Generated: 2026-03-07 # Total queries: 95 queries: - node: "Timeframe Bounding" stage: "triage" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 earliest=-30d | stats earliest(_time) as first_logon latest(_time) as last_logon count by Account_Name, src_ip, Logon_Type, ComputerName | sort first_logon - node: "Timeframe Bounding" stage: "triage" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode IN (4624, 4625, 4648, 4672) earliest=-30d | stats earliest(_time) as first_seen latest(_time) as last_seen count by Account_Name, ComputerName, EventCode | sort first_seen - node: "Patient Zero" stage: "triage" query: | index=proxy sourcetype=bluecoat OR sourcetype=zscaler dest IN (ioc_ip_list) OR url IN (ioc_url_list) | stats earliest(_time) as first_contact count by src_ip, dest, url, user | sort first_contact - node: "Patient Zero" stage: "triage" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type IN (3,10) earliest=T_START latest=T_END | stats earliest(_time) as first_logon count by src_ip, Account_Name, ComputerName, Logon_Type | sort first_logon | head 50 - node: "Access Validation" stage: "triage" query: | index=web sourcetype=iis OR sourcetype=apache host=PATIENT_ZERO_SERVER | rex field=uri_path "(?\.\.\/|union\s+select|java\.lang\.Runtime|__import__|eval\()" | search exploit_pattern=* | stats count by src_ip, uri_path, status, exploit_pattern | sort -count - node: "Access Validation" stage: "triage" query: | index=azure sourcetype=azure:aad:signin user="compromised_user@domain.com" status.errorCode=0 earliest=T_START latest=T_END | stats count by src_ip, appDisplayName, clientAppUsed, deviceDetail.operatingSystem | sort -count - node: "Network Isolation" stage: "contain" query: | index=firewall sourcetype=paloalto_traffic src_ip=COMPROMISED_IP action=allowed | stats count by dest_ip, dest_port, app | sort -count | head 50 - node: "Network Isolation" stage: "contain" query: | index=network sourcetype=cisco:asa src_ip=COMPROMISED_IP OR dst_ip=COMPROMISED_IP | timechart span=5m count by action - node: "Network Isolation" stage: "contain" query: | index=firewall src_ip=COMPROMISED_IP OR dest_ip=COMPROMISED_IP action=allowed earliest=-1h | stats count by src_ip, dest_ip, dest_port, action | sort -count | head 20 - node: "Account Lockdown" stage: "contain" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode IN (4624,4625,4648) Account_Name="compromised_user" earliest=-7d | stats count by EventCode, src_ip, ComputerName, Logon_Type | sort -count - node: "Account Lockdown" stage: "contain" query: | index=azure sourcetype=azure:aad:signin user="compromised_user@domain.com" earliest=-7d | stats count values(appDisplayName) as apps values(src_ip) as source_ips by status.errorCode | sort -count - node: "Memory Capture" stage: "preserve" query: | index=sysmon host=TARGET_HOST EventCode=1 (Image="*\\winpmem*" OR Image="*\\ramcapture*" OR Image="*\\avml*" OR CommandLine="*lime*") earliest=-1h | table _time, Computer, User, Image, CommandLine, ParentImage - node: "Log Snapshot" stage: "preserve" query: | index=wineventlog sourcetype=WinEventLog:Security host=TARGET_HOST earliest=T_START latest=T_END | stats count earliest(_time) as earliest_event latest(_time) as latest_event by sourcetype, host | eval span_hours=round((latest_event-earliest_event)/3600,1) - node: "Log Snapshot" stage: "preserve" query: | index=_internal source=*metrics.log group=per_index_thruput earliest=-7d | stats sum(kb) as total_kb by series | eval total_GB=round(total_kb/1048576,2) | sort -total_GB | head 20 - node: "EDR Collection" stage: "collect" query: | index=sysmon host IN ("HOST1","HOST2","HOST3") EventCode=1 earliest=T_START latest=T_END | stats count by Computer, Image, CommandLine, User, ParentImage | sort -count - node: "EDR Collection" stage: "collect" query: | index=sysmon host IN ("HOST1","HOST2","HOST3") EventCode=11 earliest=T_START latest=T_END TargetFilename="*\\Temp\\*" OR TargetFilename="*\\AppData\\*" OR TargetFilename="*\\ProgramData\\*" | stats count by Computer, TargetFilename, Image | sort -count | head 50 - node: "M365 UAL Collection" stage: "collect" query: | index=o365 sourcetype=o365:management:activity Workload=Exchange Operation IN ("MailItemsAccessed","New-InboxRule","Set-InboxRule","Send","SearchQueryInitiatedExchange") UserId="compromised_user@domain.com" earliest=T_START latest=T_END | stats count by Operation, ClientIPAddress, UserAgent | sort -count - node: "M365 UAL Collection" stage: "collect" query: | index=o365 sourcetype=o365:management:activity Workload IN ("AzureActiveDirectory","Exchange","SharePoint") earliest=T_START latest=T_END | stats count by Workload, Operation, UserId, ClientIP | sort -count | head 100 - node: "Lateral Movement" stage: "analyze" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type IN (3,9,10) Account_Name!="*$" src_ip!="::1" src_ip!="-" src_ip!="127.0.0.1" earliest=T_START latest=T_END | stats count dc(src_ip) as distinct_sources values(ComputerName) as hosts by Account_Name, Logon_Type | search distinct_sources>2 | sort -distinct_sources - node: "Lateral Movement" stage: "analyze" query: | index=sysmon EventCode=1 (Image="*\\psexec.exe" OR Image="*\\psexesvc.exe" OR Image="*\\wmic.exe" OR Image="*\\winrs.exe" OR Image="*\\mstsc.exe") OR (ParentImage="*\\wmiprvse.exe" (Image="*\\powershell.exe" OR Image="*\\cmd.exe")) earliest=T_START latest=T_END | stats count by Computer, Image, CommandLine, User, ParentImage | sort -count - node: "Data Staging" stage: "analyze" query: | index=sysmon EventCode=11 TargetFilename="*.7z" OR TargetFilename="*.rar" OR TargetFilename="*.zip" | stats count sum(FileSize) as total_bytes by Computer, TargetFilename, User | eval total_MB=round(total_bytes/1048576,2) | search total_MB>50 - node: "Data Staging" stage: "analyze" query: | index=sysmon EventCode=1 (Image="*\\7z.exe" OR Image="*\\rar.exe" OR Image="*\\winrar.exe" OR Image="*\\tar.exe" OR Image="*\\makecab.exe") earliest=T_START latest=T_END | stats count by Computer, Image, CommandLine, User, ParentImage | sort -count - node: "Exfil Channels" stage: "analyze" query: | index=firewall action=allowed dest_port IN (443,80,53,8080) src_ip=STAGING_HOST | timechart span=15m sum(bytes_out) as bytes_out | search bytes_out>50000000 - node: "Exfil Channels" stage: "analyze" query: | index=proxy sourcetype=bluecoat OR sourcetype=zscaler src_ip=STAGING_HOST earliest=T_START latest=T_END | stats sum(bytes_out) as total_bytes count by dest_host, cs_uri_path, user | eval total_MB=round(total_bytes/1048576,2) | sort -total_MB | head 50 - node: "Exfil Channels" stage: "analyze" query: | index=dns sourcetype=named OR sourcetype=infoblox:dns earliest=T_START latest=T_END | eval subdomain_len=len(mvindex(split(query,"."),0)) | search subdomain_len>30 | stats count avg(subdomain_len) as avg_len by src_ip, query | search count>100 | sort -count - node: "Block Exfiltration" stage: "contain" query: | index=proxy action=denied dest_host IN ("mega.nz","transfer.sh","file.io","rclone.*") | stats count by src_ip, dest_host, action | sort -count - node: "Block Exfiltration" stage: "contain" query: | index=dns sourcetype=named OR sourcetype=infoblox:dns query="*exfil-domain.com" earliest=-1h | stats count by src_ip, query, reply_code | sort -count - node: "DLP Alerts" stage: "collect" query: | index=dlp sourcetype=symantec:dlp OR sourcetype=forcepoint:dlp earliest=T_START latest=T_END | stats count by policy_name, severity, action, src_user, dest | sort -count - node: "DLP Alerts" stage: "collect" query: | index=o365 sourcetype=o365:management:activity Operation="DLP*" earliest=T_START latest=T_END | stats count by Operation, UserId, PolicyDetails, SensitiveInfoDetections | sort -count - node: "DLP Alerts" stage: "collect" query: | index=dlp sourcetype=symantec:dlp severity IN ("high","critical") earliest=T_START latest=T_END | stats count values(policy_name) as policies values(dest) as destinations by src_user, action | sort -count | head 25 - node: "Ransom Note Analysis" stage: "triage" query: | index=edr (file_extension=".locked" OR file_extension=".encrypted" OR file_extension=".crypt") | stats dc(host) as affected_hosts count by file_extension | sort -affected_hosts - node: "Ransom Note Analysis" stage: "triage" query: | index=sysmon EventCode=1 (CommandLine="*vssadmin delete shadows*" OR CommandLine="*wmic shadowcopy delete*" OR CommandLine="*bcdedit*recoveryenabled*" OR CommandLine="*wbadmin delete catalog*") earliest=-24h | stats count by Computer, Image, CommandLine, User, ParentImage | sort -count - node: "Stop Ransomware Spread" stage: "contain" query: | index=firewall dest_port=445 action=allowed | timechart span=5m count by src_ip | search count>50 - node: "Stop Ransomware Spread" stage: "contain" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=5145 (Share_Name="*C$" OR Share_Name="*ADMIN$") earliest=-1h | stats count by src_ip, Account_Name, Share_Name, Relative_Target_Name | sort -count | head 50 - node: "Stop Ransomware Spread" stage: "contain" query: | index=sysmon EventCode=11 earliest=-1h | rex field=TargetFilename "\.(?[a-z0-9]{3,8})$" | stats count by Computer, new_ext | search count>100 | sort -count - node: "Encryption Scope" stage: "analyze" query: | index=edr sourcetype=crowdstrike:events event_type=FileWritten file_extension IN ("locked","encrypted","crypt") | stats dc(aid) as affected_hosts count as encrypted_files earliest(_time) as first_seen latest(_time) as last_seen by ComputerName | sort first_seen - node: "Encryption Scope" stage: "analyze" query: | index=sysmon EventCode=11 earliest=-48h (TargetFilename="*.locked" OR TargetFilename="*.encrypted" OR TargetFilename="*.crypt" OR TargetFilename="*.enc") | stats count earliest(_time) as first_encryption latest(_time) as last_encryption by Computer | eval duration_minutes=round((last_encryption-first_encryption)/60,1) | sort first_encryption - node: "Decryption Assessment" stage: "recover" query: | index=wineventlog sourcetype=WinEventLog:System host=ENCRYPTED_HOST EventCode=8193 OR EventCode=8194 OR EventCode=524 earliest=T_START latest=T_END | stats count by EventCode, ComputerName, Message | sort -count - node: "Decryption Assessment" stage: "recover" query: | index=wineventlog sourcetype=WinEventLog:Security host=ENCRYPTED_HOST EventCode=4688 earliest=-48h (CommandLine="*vssadmin*" OR CommandLine="*wmic shadowcopy*" OR CommandLine="*bcdedit*" OR CommandLine="*wbadmin*") | table _time, CommandLine, Account_Name, ParentProcessName | sort _time - node: "Azure AD Logs" stage: "collect" query: | index=o365 sourcetype=o365:management:activity Workload=AzureActiveDirectory Operation="UserLoggedIn" ResultStatus=Success earliest=T_START latest=T_END | stats count dc(ClientIP) as DistinctIPs dc(AppDisplayName) as DistinctApps by UserId | search DistinctIPs>3 | sort -DistinctIPs - node: "Azure AD Logs" stage: "collect" query: | index=o365 sourcetype=o365:management:activity Workload=AzureActiveDirectory Operation="Add member to role." OR Operation="Consent to application." OR Operation="Add app role assignment to service principal." earliest=T_START latest=T_END | table _time, UserId, Operation, Target{}.ID, ClientIP | sort _time - node: "OAuth Abuse" stage: "analyze" query: | index=o365 sourcetype=o365:management:activity Workload=AzureActiveDirectory Operation="Consent to application." OR Operation="Add OAuth2PermissionGrant." earliest=T_START latest=T_END | table _time, UserId, Operation, Target{}.ID, Target{}.Type, ClientIP | sort _time - node: "OAuth Abuse" stage: "analyze" query: | index=o365 sourcetype=o365:management:activity Workload=AzureActiveDirectory Operation="Add app role assignment to service principal." earliest=T_START latest=T_END | stats count values(Target{}.ID) as TargetApps by UserId, ClientIP | sort -count - node: "Revoke Cloud Sessions" stage: "contain" query: | index=o365 sourcetype=o365:management:activity Workload=AzureActiveDirectory Operation="Revoke user all refresh tokens." OR Operation="Invalidate all refresh tokens for user." OR Operation="Disable account." earliest=-24h | table _time, UserId, Operation, Actor{}.ID, ClientIP | sort _time - node: "Revoke Cloud Sessions" stage: "contain" query: | index=o365 sourcetype=o365:management:activity UserId="compromised_user@domain.com" earliest=-2h | stats count by Operation, ClientIP, Workload | sort -count - node: "Inbox Rules" stage: "analyze" query: | index=o365 sourcetype=o365:management:activity Operation="Set-InboxRule" OR Operation="New-InboxRule" OR Operation="Enable-InboxRule" OR Operation="UpdateInboxRules" earliest=T_START latest=T_END | stats count by UserId, Operation, Parameters, ClientIP | sort -count - node: "Inbox Rules" stage: "analyze" query: | index=o365 sourcetype=o365:management:activity Operation="Set-Mailbox" OR Operation="New-TransportRule" OR Operation="Set-TransportRule" earliest=T_START latest=T_END | search Parameters="*ForwardTo*" OR Parameters="*RedirectTo*" OR Parameters="*ForwardingSMTPAddress*" | table _time, UserId, Operation, Parameters, ClientIP | sort _time - node: "Missing Log Fallback" stage: "collect" query: | index=* earliest=-90d | stats min(_time) as earliest_event max(_time) as latest_event count by sourcetype, host | search earliest_event>relative_time(now(), "-30d") | table host sourcetype earliest_event latest_event count | sort -earliest_event - node: "Missing Log Fallback" stage: "collect" query: | index=wineventlog sourcetype=WinEventLog:Security earliest=-30d | stats count by host, EventCode | eventstats sum(count) as total_events by host | search total_events<100 | table host EventCode count total_events | sort host -count - node: "Chain of Custody" stage: "preserve" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4663 ObjectName="*evidence*" OR ObjectName="*case*" earliest=T_START latest=T_END | stats count by SubjectUserName, ObjectName, AccessMask, ComputerName | sort -count - node: "Web Server Logs" stage: "collect" query: | index=web sourcetype=access_combined status>=200 status<300 earliest=T_START latest=T_END (uri_path="*.php" OR uri_path="*.aspx" OR uri_path="*.jsp") | stats count dc(clientip) as unique_ips values(clientip) as src_ips by uri_path | search unique_ips=1 | sort -count - node: "Web Server Logs" stage: "collect" query: | index=web sourcetype=access_combined earliest=T_START latest=T_END (uri_query="*SELECT*" OR uri_query="*UNION*" OR uri_query="*exec*" OR uri_query="*cmd*" OR uri_query="*passwd*" OR uri_query="*etc/shadow*") | stats count by clientip, uri_path, uri_query, status | sort -count - node: "Malware Removal" stage: "eradicate" query: | index=wineventlog sourcetype=WinEventLog:Security host=CLEANED_HOST EventCode=4688 earliest=-1h | stats count by New_Process_Name, Process_Command_Line, Account_Name | search New_Process_Name!="C:\Windows\System32\*" | sort -count - node: "Malware Removal" stage: "eradicate" query: | index=sysmon sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host=CLEANED_HOST EventCode=3 earliest=-4h | stats count by DestinationIp, DestinationPort, Image | search DestinationIp!="10.*" DestinationIp!="172.16.*" DestinationIp!="192.168.*" | sort -count - node: "Credential Reset" stage: "eradicate" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4724 OR EventCode=4723 earliest=T_START latest=T_END | stats count by Account_Name, TargetUserName, ComputerName | sort -count - node: "Credential Reset" stage: "eradicate" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 TargetUserName IN ("RESET_ACCOUNT_1","RESET_ACCOUNT_2") earliest=-24h | timechart span=1h count by TargetUserName | sort -_time - node: "Patch Vulnerability" stage: "eradicate" query: | index=vulnerability sourcetype=tenable:sc:vuln OR sourcetype=qualys:hostDetection cve="CVE-XXXX-XXXXX" | stats count by dest, severity, pluginName, solution | sort -severity -count - node: "System Rebuild" stage: "recover" query: | index=wineventlog sourcetype=WinEventLog:System host=REBUILT_HOST EventCode=6005 OR EventCode=6006 OR EventCode=7045 earliest=-24h | table _time, host, EventCode, Message | sort _time - node: "Service Restoration" stage: "recover" query: | index=wineventlog sourcetype=WinEventLog:Security host IN ("RESTORED_HOST_1","RESTORED_HOST_2") EventCode=4720 OR EventCode=4732 OR EventCode=7045 OR EventCode=4698 earliest=-4h | table _time, host, EventCode, Account_Name, Message | sort _time - node: "Service Restoration" stage: "recover" query: | index=sysmon sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host IN ("RESTORED_HOST_1","RESTORED_HOST_2") EventCode=3 earliest=-4h | stats count by DestinationIp, DestinationPort, Image, host | search DestinationIp!="10.*" DestinationIp!="172.16.*" DestinationIp!="192.168.*" | sort -count - node: "Backup Validation" stage: "recover" query: | index=wineventlog sourcetype=WinEventLog:System source="VSS" OR source="VolSnap" EventCode=8193 OR EventCode=8194 OR EventCode=36 earliest=T_START | stats count by host, EventCode, Message | sort -count - node: "Lessons Learned" stage: "post-incident" query: | index=notable earliest=T_START latest=T_END | stats count by rule_name, urgency, status, owner | eval response_time=round((_time-info_min_time)/3600,2) | sort -urgency -count - node: "Detection Improvement" stage: "post-incident" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4688 earliest=T_START latest=T_END (New_Process_Name="*mimikatz*" OR New_Process_Name="*psexec*" OR New_Process_Name="*cobalt*" OR CommandLine="*Invoke-*" OR CommandLine="*-nop -w hidden*") | stats count by New_Process_Name, Process_Command_Line, host | sort -count - node: "Detection Improvement" stage: "post-incident" query: | index=sysmon sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational earliest=T_START latest=T_END EventCode=1 (ParentImage="*\\cmd.exe" OR ParentImage="*\\powershell.exe") (Image="*\\whoami.exe" OR Image="*\\net.exe" OR Image="*\\nltest.exe" OR Image="*\\dsquery.exe") | stats count by host, ParentImage, Image, CommandLine | sort -count - node: "Incident Report" stage: "post-incident" query: | index=notable sourcetype=stash earliest=T_START latest=T_END | stats count by rule_name, urgency, src, dest, user | eval incident_phase=case(urgency=="critical","Triage",urgency=="high","Containment",1=1,"Investigation") | sort -urgency -count | table rule_name, urgency, incident_phase, src, dest, user, count - node: "BEC Email Analysis" stage: "triage" query: | index=email sourcetype=proofpoint:pps sender="" OR sender_domain="" action=delivered | stats count by recipient, subject, sender, action | sort -count - node: "BEC Email Analysis" stage: "triage" query: | index=o365 sourcetype=o365:management:activity Operation="MailItemsAccessed" OR Operation="SendAs" OR Operation="SendOnBehalf" UserId="" | stats count by UserId, Operation, ClientIP | sort -count - node: "Web Shell Detection" stage: "analyze" query: | index=iis sourcetype=iis (cs_uri_stem="*.aspx" OR cs_uri_stem="*.php" OR cs_uri_stem="*.jsp" OR cs_uri_stem="*.jspx") | stats dc(c_ip) AS distinct_ips, count AS request_count, min(_time) AS first_seen by cs_uri_stem | search distinct_ips<=2 request_count>5 | sort first_seen - node: "Web Shell Detection" stage: "analyze" query: | index=wineventlog sourcetype=WinEventLog:Sysmon EventCode=11 (TargetFilename="*\inetpub\wwwroot\*" OR TargetFilename="*\htdocs\*") (TargetFilename="*.aspx" OR TargetFilename="*.php" OR TargetFilename="*.jsp") | stats count by TargetFilename, Image, ComputerName | sort -count - node: "Insider Containment" stage: "contain" query: | index=wineventlog sourcetype=WinEventLog:Security Account_Name="" EventCode=4663 Object_Type="File" | stats count by Object_Name, Process_Name, Access_Mask | sort -count - node: "Insider Containment" stage: "contain" query: | index=o365 sourcetype=o365:management:activity UserId="" (Operation="FileDownloaded" OR Operation="FileUploaded" OR Operation="FileSyncDownloadedFull") | timechart span=1d count by Operation - node: "Third-Party Logs" stage: "collect" query: | index=third_party sourcetype=vendor:* earliest=-30d | stats count, min(_time) AS earliest_event, max(_time) AS latest_event by sourcetype, host | sort -count - node: "Credential Dumping" stage: "analyze" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4688 (New_Process_Name="*\mimikatz.exe" OR New_Process_Name="*\procdump.exe" OR New_Process_Name="*\procdump64.exe" OR Process_Command_Line="*sekurlsa*" OR Process_Command_Line="*lsadump*") | stats count by Account_Name, New_Process_Name, Process_Command_Line, ComputerName | sort -count - node: "Credential Dumping" stage: "analyze" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4769 Ticket_Encryption_Type=0x17 Service_Name!="*$" | stats count by Account_Name, Service_Name, Client_Address, Ticket_Encryption_Type | sort -count - node: "Persistence Hunt" stage: "eradicate" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=7045 OR EventCode=4698 | eval persistence_type=case(EventCode==7045, "Service Installed", EventCode==4698, "Scheduled Task Created") | stats count by persistence_type, Service_Name, Task_Name, Account_Name, ComputerName | sort -count - node: "Persistence Hunt" stage: "eradicate" query: | index=wineventlog sourcetype=WinEventLog:Sysmon EventCode=13 TargetObject="*\CurrentVersion\Run*" OR TargetObject="*\CurrentVersion\RunOnce*" OR TargetObject="*Winlogon*" OR TargetObject="*AppInit_DLLs*" | stats count by TargetObject, Details, Image, ComputerName | sort -count - node: "Eradication Verification" stage: "eradicate" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4688 (New_Process_Name="*\" OR SHA256="" OR SHA256="") earliest=-48h | stats count by New_Process_Name, Account_Name, ComputerName, Process_Command_Line | sort -count - node: "Eradication Verification" stage: "eradicate" query: | index=firewall sourcetype=pan:traffic dest_ip="" OR dest_ip="" OR dest="" OR dest="" earliest=-48h | stats count by src_ip, dest_ip, dest_port, action | sort -count - node: "Config Hardening" stage: "eradicate" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3 Authentication_Package="NTLM" earliest=-24h | stats count by Account_Name, Source_Network_Address, ComputerName | sort -count // Verify NTLM usage after hardening - node: "Ransomware Preservation" stage: "preserve" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4663 Object_Type="File" (Object_Name="*.encrypted" OR Object_Name="*.locked" OR Object_Name="*.ransom") | stats count, earliest(_time) AS first_encryption, latest(_time) AS last_encryption by ComputerName | eval encryption_duration=last_encryption-first_encryption | sort first_encryption - node: "Insider Evidence Capture" stage: "preserve" query: | index=o365 sourcetype=o365:management:activity UserId="" (Operation="FileDownloaded" OR Operation="FileUploaded" OR Operation="FileCopied" OR Operation="MailItemsAccessed") earliest=-90d | stats count by Operation, ClientIP | eval daily_avg=count/90 | sort -count - node: "Insider Evidence Capture" stage: "preserve" query: | index=wineventlog sourcetype=WinEventLog:Security Account_Name="" (EventCode=4663 OR EventCode=4656) Object_Type="File" | stats count by Object_Name, Process_Name, Access_Mask, ComputerName | sort -count - node: "Phishing Email Preservation" stage: "preserve" query: | index=email sourcetype=proofpoint:pps OR sourcetype=mimecast:email subject="" sender="" | stats count by recipient, action, subject, msg_id | sort -count - node: "Cloud Tenant Snapshot" stage: "preserve" query: | index=o365 sourcetype=o365:management:activity (Operation="Add application" OR Operation="Add service principal" OR Operation="Update application*" OR Operation="Consent to application") earliest=-90d | stats count by Operation, UserId, Target_0_id | sort -count - node: "Phishing Triage" stage: "triage" query: | // SPL -- Splunk: email gateway phishing delivery analysis index=email sourcetype=proofpoint:pps sender="" OR subject="" | stats count by recipient action disposition | sort -count - node: "Phishing Triage" stage: "triage" query: | index=proxy sourcetype=bluecoat:proxysg OR sourcetype=zscaler:web cs_host="" | stats count, earliest(_time) AS first_click, latest(_time) AS last_click by cs_username, cs_host, cs_uri_stem | sort first_click - node: "Phishing Quarantine" stage: "contain" query: | index=email sourcetype=proofpoint:pps sender="" subject="" action=delivered | stats count by recipient, action, disposition, msg_id | sort -count - node: "Phishing Quarantine" stage: "contain" query: | index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=10 OR Logon_Type=3 Source_Network_Address="" earliest=-7d | stats count by Account_Name, Source_Network_Address, ComputerName, Logon_Type | sort -count - node: "Phishing Artifact Collection" stage: "collect" query: | index=email sourcetype=proofpoint:pps OR sourcetype=mimecast:email sender="" | stats count, values(subject) AS subjects, values(recipient) AS recipients, dc(recipient) AS recipient_count by sender, sender_domain | sort -count - node: "Phishing Artifact Collection" stage: "collect" query: | index=proxy sourcetype=bluecoat:proxysg OR sourcetype=zscaler:web cs_host="" | stats count by cs_username, cs_host, cs_uri_stem, sc_status | sort -count - node: "Phishing Campaign Analysis" stage: "analyze" query: | index=o365 sourcetype=o365:management:activity UserId IN ("","") ClientIP IN ("","") | stats count, values(Operation) AS operations by UserId, ClientIP, bin(_time, 1h) | sort _time - node: "Phishing Campaign Analysis" stage: "analyze" query: | index=email sourcetype=proofpoint:pps sender IN ("","") action=delivered earliest=-7d | stats count by sender, recipient, subject | sort -count // Lateral phishing detection - node: "Phishing Remediation" stage: "eradicate" query: | index=email sourcetype=proofpoint:pps (sender="" OR sender="") (subject="" OR subject="") | stats count by recipient, action, disposition | search action!="blocked" | sort -count // Verify phishing email purge completeness - node: "Phishing Remediation" stage: "eradicate" query: | index=o365 sourcetype=o365:management:activity UserId IN ("","","") (Operation="Set-InboxRule" OR Operation="New-InboxRule" OR Operation="Add OAuth2PermissionGrant") earliest=-7d | stats count by UserId, Operation, ClientIP | sort -count // Post-remediation persistence check - node: "Web App Root Cause Review" stage: "post-incident" query: | index=web earliest=-30d (uri_query="*../*" OR uri_query="*union select*" OR uri_query="*cmd*" OR uri_path="*.php" OR uri_path="*.aspx") | stats count by uri_path, clientip