CrowdStrike Falcon's Next-Gen SIEM uses LogScale as its query language, which is significantly more powerful than the older Event Search syntax. These detection rules use LogScale syntax exclusively and have been tuned in production environments at major Canadian financial institutions. All event names are case-sensitive and all queries use the Next-Gen SIEM architecture.

LogScale Syntax Notes

All queries use Next-Gen SIEM LogScale syntax. Event names are case-sensitive: ProcessRollup2, NetworkConnectIP4, FileWritten. Use quoted "sort" not sort. Space-separated field lists, no commas. Run each query against 30 days of historical data before enabling detection alerts.

Rule 1: PowerShell Spawned from Office Applications

The highest confidence post-phishing execution detection available in CrowdStrike. Office applications spawning PowerShell have no legitimate use case in enterprise environments. This relationship alone is your escalation trigger before reading a single character of the command line.

#event_simpleName=ProcessRollup2
ImageFileName=/\/powershell\.exe$/i
ParentBaseFileName IN ("WINWORD.EXE","EXCEL.EXE","OUTLOOK.EXE",
  "MSPUB.EXE","MSACCESS.EXE","chrome.exe",
  "msedge.exe","firefox.exe","wmiprvse.exe")
| table @timestamp ComputerName UserName CommandLine ParentBaseFileName
| "sort" @timestamp desc

Escalate immediately when

Rule 2: LOLBin Execution from Unexpected Parents

Detects signed Windows binaries commonly abused for code execution when spawned from unexpected parent processes. The parent process context eliminates the majority of false positives that would otherwise fire on these binaries in a busy enterprise environment.

#event_simpleName=ProcessRollup2
ImageFileName=/\/(certutil|mshta|wscript|cscript|regsvr32|rundll32|msiexec)\.exe$/i
| where CommandLine!="" AND ParentBaseFileName!=/explorer|services|svchost|msiexec|taniumclient|ccmexec|devenv|onexagentui/i
| eval suspicion=case(
    CommandLine=~"(?i)(http|https|ftp)", "network_call",
    CommandLine=~"(?i)-urlcache", "certutil_download",
    CommandLine=~"(?i)(AppData|Temp|Downloads|\\\\Users\\\\)", "user_writable_path",
    CommandLine=~"(?i)scrobj", "squiblydoo",
    true(), "review"
  )
| table @timestamp ComputerName UserName ImageFileName CommandLine ParentBaseFileName suspicion
| "sort" @timestamp desc

Rule 3: Reflective DLL Injection Detection

Detects PowerShell-based shellcode staging and reflective loading patterns. Byte array manipulation combined with XOR operations and memory stream loading is a strong indicator of shellcode decryption before reflective PE injection.

#event_simpleName=ProcessRollup2
ImageFileName=/\/powershell\.exe$/i
| where CommandLine matches regex "(?i)\\[byte\\[\\]\\]|\\[Byte\\[\\]\\]"
| where CommandLine matches regex "(?i)-b[Xx][Oo][Rr]|-bxor"
| where CommandLine matches regex "(?i)(ReadAllBytes|MemoryStream|Reflection\\.Assembly)"
| table @timestamp ComputerName UserName CommandLine
| "sort" @timestamp desc

Rule 4: DNS Requests from Suspicious Processes

Correlates DNS requests with the process making them to surface C2 communication patterns. Processes that have no business reason making external DNS lookups and are doing so shortly after execution are high confidence indicators of command and control beaconing.

#event_simpleName=DnsRequest
| where DomainName!=/microsoft|windows|office|azure|akamai|cloudflare|google/i
| join(
    {#event_simpleName=ProcessRollup2
     ImageFileName=/\/(powershell|wscript|cscript|mshta|regsvr32|rundll32)\.exe$/i},
    field=[aid, ContextProcessId],
    mode=inner
  )
| table @timestamp ComputerName UserName ImageFileName DomainName CommandLine
| "sort" @timestamp desc

Rule 5: New Service Installation Off Hours

Attackers install Windows services as a persistence mechanism and for lateral movement via service-based remote execution. Service installations outside business hours from non-standard paths warrant immediate investigation.

#event_simpleName=ServiceInstalled
| eval hour=formatTime("%H", @timestamp/1000)
| where toNumber(hour) < 7 OR toNumber(hour) > 19
| where ServiceImagePath!=/system32|syswow64|program files|windows defender|crowdstrike/i
| table @timestamp ComputerName ServiceName ServiceImagePath ServiceType
| "sort" @timestamp desc

Rule 6: Network Connection to Rare External IPs

Baselines 30 days of external network connections and surfaces connections to IPs that appear for the first time. New external destinations from endpoints that have stable baseline connectivity are worth investigating, particularly from processes that should not be making external connections.

#event_simpleName=NetworkConnectIP4
RemoteIP!=/^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|0\.)/
| groupBy([aid, RemoteIP], function=min(timestamp, as=firstSeen))
| where firstSeen > now() - 1d * 1
| join(
    {#event_simpleName=NetworkConnectIP4
     RemoteIP!=/^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|0\.)/
     | where timestamp < now() - 1d * 1
     | where timestamp > now() - 30d
     | groupBy([aid, RemoteIP], function=count())},
    field=[aid, RemoteIP],
    mode=leftanti
  )
| join(
    {#event_simpleName=NetworkConnectIP4 | groupBy(aid, function=selectLast([ComputerName, UserName]))},
    field=aid
  )
| table firstSeen ComputerName UserName RemoteIP RemotePort
| "sort" firstSeen desc

Rule 7: Mass File Deletion Anomaly

Detects mass file deletion events that significantly exceed normal operational patterns. Appears in ransomware pre-encryption staging and insider threat data destruction scenarios. The 10-minute window with a 200-file threshold filters legitimate backup cleanup while catching bulk deletion attacks.

#event_simpleName=FileDeleteInfo
| bin @timestamp span=10m
| groupBy([@timestamp, ComputerName, UserName], function=count(as=deletions))
| where deletions > 200
| table @timestamp ComputerName UserName deletions
| "sort" deletions desc
Intelligence Pack
New CrowdStrike detection every Tuesday

The SOCAuthority Weekly Intelligence Pack rotates between CrowdStrike LogScale, Microsoft Sentinel KQL, and Splunk SPL. Every Tuesday you get one production-ready detection rule with full context, tuning notes, and MITRE mapping. Plus monthly Office Hours and private Discord access.

Join Intelligence Pack — $14.99/month SOC Starter Kit — $39

Cancel anytime. 30-day money back guarantee.