CrowdStrike Falcon's Next-Gen SIEM uses LogScale as its query language, which is significantly more powerful than the older Event Search syntax. These detection rules use LogScale syntax exclusively and have been tuned in production environments at major Canadian financial institutions. All event names are case-sensitive and all queries use the Next-Gen SIEM architecture.
All queries use Next-Gen SIEM LogScale syntax. Event names are case-sensitive: ProcessRollup2, NetworkConnectIP4, FileWritten. Use quoted "sort" not sort. Space-separated field lists, no commas. Run each query against 30 days of historical data before enabling detection alerts.
Rule 1: PowerShell Spawned from Office Applications
The highest confidence post-phishing execution detection available in CrowdStrike. Office applications spawning PowerShell have no legitimate use case in enterprise environments. This relationship alone is your escalation trigger before reading a single character of the command line.
#event_simpleName=ProcessRollup2
ImageFileName=/\/powershell\.exe$/i
ParentBaseFileName IN ("WINWORD.EXE","EXCEL.EXE","OUTLOOK.EXE",
"MSPUB.EXE","MSACCESS.EXE","chrome.exe",
"msedge.exe","firefox.exe","wmiprvse.exe")
| table @timestamp ComputerName UserName CommandLine ParentBaseFileName
| "sort" @timestamp desc
Escalate immediately when
- -EncodedCommand appears in CommandLine combined with any Office parent
- DownloadString or WebClient indicates second stage payload download
- IEX or Invoke-Expression indicates in-memory execution with no file dropped
- Network connection to external IP within 60 seconds of the PowerShell process start
Rule 2: LOLBin Execution from Unexpected Parents
Detects signed Windows binaries commonly abused for code execution when spawned from unexpected parent processes. The parent process context eliminates the majority of false positives that would otherwise fire on these binaries in a busy enterprise environment.
#event_simpleName=ProcessRollup2
ImageFileName=/\/(certutil|mshta|wscript|cscript|regsvr32|rundll32|msiexec)\.exe$/i
| where CommandLine!="" AND ParentBaseFileName!=/explorer|services|svchost|msiexec|taniumclient|ccmexec|devenv|onexagentui/i
| eval suspicion=case(
CommandLine=~"(?i)(http|https|ftp)", "network_call",
CommandLine=~"(?i)-urlcache", "certutil_download",
CommandLine=~"(?i)(AppData|Temp|Downloads|\\\\Users\\\\)", "user_writable_path",
CommandLine=~"(?i)scrobj", "squiblydoo",
true(), "review"
)
| table @timestamp ComputerName UserName ImageFileName CommandLine ParentBaseFileName suspicion
| "sort" @timestamp desc
Rule 3: Reflective DLL Injection Detection
Detects PowerShell-based shellcode staging and reflective loading patterns. Byte array manipulation combined with XOR operations and memory stream loading is a strong indicator of shellcode decryption before reflective PE injection.
#event_simpleName=ProcessRollup2
ImageFileName=/\/powershell\.exe$/i
| where CommandLine matches regex "(?i)\\[byte\\[\\]\\]|\\[Byte\\[\\]\\]"
| where CommandLine matches regex "(?i)-b[Xx][Oo][Rr]|-bxor"
| where CommandLine matches regex "(?i)(ReadAllBytes|MemoryStream|Reflection\\.Assembly)"
| table @timestamp ComputerName UserName CommandLine
| "sort" @timestamp desc
Rule 4: DNS Requests from Suspicious Processes
Correlates DNS requests with the process making them to surface C2 communication patterns. Processes that have no business reason making external DNS lookups and are doing so shortly after execution are high confidence indicators of command and control beaconing.
#event_simpleName=DnsRequest
| where DomainName!=/microsoft|windows|office|azure|akamai|cloudflare|google/i
| join(
{#event_simpleName=ProcessRollup2
ImageFileName=/\/(powershell|wscript|cscript|mshta|regsvr32|rundll32)\.exe$/i},
field=[aid, ContextProcessId],
mode=inner
)
| table @timestamp ComputerName UserName ImageFileName DomainName CommandLine
| "sort" @timestamp desc
Rule 5: New Service Installation Off Hours
Attackers install Windows services as a persistence mechanism and for lateral movement via service-based remote execution. Service installations outside business hours from non-standard paths warrant immediate investigation.
#event_simpleName=ServiceInstalled
| eval hour=formatTime("%H", @timestamp/1000)
| where toNumber(hour) < 7 OR toNumber(hour) > 19
| where ServiceImagePath!=/system32|syswow64|program files|windows defender|crowdstrike/i
| table @timestamp ComputerName ServiceName ServiceImagePath ServiceType
| "sort" @timestamp desc
Rule 6: Network Connection to Rare External IPs
Baselines 30 days of external network connections and surfaces connections to IPs that appear for the first time. New external destinations from endpoints that have stable baseline connectivity are worth investigating, particularly from processes that should not be making external connections.
#event_simpleName=NetworkConnectIP4
RemoteIP!=/^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|0\.)/
| groupBy([aid, RemoteIP], function=min(timestamp, as=firstSeen))
| where firstSeen > now() - 1d * 1
| join(
{#event_simpleName=NetworkConnectIP4
RemoteIP!=/^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|0\.)/
| where timestamp < now() - 1d * 1
| where timestamp > now() - 30d
| groupBy([aid, RemoteIP], function=count())},
field=[aid, RemoteIP],
mode=leftanti
)
| join(
{#event_simpleName=NetworkConnectIP4 | groupBy(aid, function=selectLast([ComputerName, UserName]))},
field=aid
)
| table firstSeen ComputerName UserName RemoteIP RemotePort
| "sort" firstSeen desc
Rule 7: Mass File Deletion Anomaly
Detects mass file deletion events that significantly exceed normal operational patterns. Appears in ransomware pre-encryption staging and insider threat data destruction scenarios. The 10-minute window with a 200-file threshold filters legitimate backup cleanup while catching bulk deletion attacks.
#event_simpleName=FileDeleteInfo
| bin @timestamp span=10m
| groupBy([@timestamp, ComputerName, UserName], function=count(as=deletions))
| where deletions > 200
| table @timestamp ComputerName UserName deletions
| "sort" deletions desc
The SOCAuthority Weekly Intelligence Pack rotates between CrowdStrike LogScale, Microsoft Sentinel KQL, and Splunk SPL. Every Tuesday you get one production-ready detection rule with full context, tuning notes, and MITRE mapping. Plus monthly Office Hours and private Discord access.
Join Intelligence Pack — $14.99/month SOC Starter Kit — $39Cancel anytime. 30-day money back guarantee.