LogScale Query Language (LQL) Guide for SOC Analysts
This guide is tailored for SOC analysts who are transitioning from Splunk to LogScale and focuses on the essentials of filtering through events and exploring data using LogScale’s Query Language (LQL). It covers query filters, free-text filters, field filters, regular expression filters, and logical operators, using specific field names and event examples relevant to security operations.
Grab a cup of coffee ☕, login to Crowdstrike or your LogScale instance and let’s get started.
Query Filters
Query filters in LogScale allow for precise searches using free text, field matches, and regular expressions. They enable analysts to narrow down search results effectively.
Basic Syntax
- Implicit AND: LogScale supports an implicit AND between filters, meaning that multiple filters applied in sequence are combined as if connected by AND.
- Logical Operators:
AND
combines filters:filter1 AND filter2
.OR
for alternatives:filter1 OR filter2
.NOT
to exclude:NOT filter
.
Structure
- Primary Filters: Utilize operations like
=
,like
,!=
,<
,<=
,>
,>=
on field names or free text. - Field Names: Can be straightforward or enclosed in quotes for special characters.
- Grouping: Parentheses
()
are used to group filters for complex queries.
Free-Text Filters
Free-text filters search across all fields for specified strings, excluding special fields like @id
, @timestamp
, @ingesttimestamp
, and tags.
- Basic Queries:
- Searching for a specific error code in any field:
404
. - To find a specific error message:
"Access Denied"
. - Regular expression search for IP addresses:
/192\.168\.1\.\d+/
. - Case-insensitive search for a username:
/admin/i
.
- Searching for a specific error code in any field:
Field Filters
Field filters target specific event fields, enhancing the precision of searches by focusing on text or numerical data.
- Examples:
- To find events where the
ComputerName
contains “Server”:ComputerName = *Server*
. - Events where
Status
is not “200 OK”:Status != "200 OK"
. - Searching for events with a specific
LocalIP
:LocalIP = "192.168.1.10"
.
- To find events where the
Regular Expression Filters
Regular expressions offer advanced pattern matching for field-specific searches or across all event fields.
- Syntax:
- To match an IP pattern in any field:
/10\.10\.\d+\.\d+/
. - Searching within the
FilePath
field for logs:FilePath = /C:\\Windows\\System32\\/
.
- To match an IP pattern in any field:
Logical Operators
Combine filters with logical operators to refine searches, allowing for complex query construction.
- AND, OR, NOT:
- To match events with a specific
ComputerName
andStatus
:ComputerName = *Server* AND Status = "200 OK"
. - Events with either “Error” or “Warning” in
@rawstring
:"Error" OR "Warning"
. - Excluding a specific
LocalIP
:NOT LocalIP = "192.168.1.10"
.
- To match events with a specific
Using Specific Fields and Events
When constructing queries, using specific field names and understanding the structure of your events is crucial. For example, to filter events related to a new script being written:
- Event Name Filter:
#event_simpleName = "NewScriptWritten"
. - Combining Filters: To find such events from a specific source IP:
#event_simpleName = "NewScriptWritten" AND LocalIP = "192.168.1.10"
.