Skip to content

Examples

Find all PowerShell executions grouped by user

image=/powershell/i | groupBy(user, function=count()) | sort(_count, order=desc)

Top 10 users by data transferred

* | groupBy(user, function=sum(bytes)) | sort(_sum, order=desc) | limit(10)

HTTP errors in the last time window

status_code>=400 | groupBy(status_code, function=count()) | barchart()

Classify events by severity

* | case {
  status_code>=500 | severity := "critical" ;
  status_code>=400 | severity := "warning" ;
  * | severity := "info"
} | groupBy(severity, function=count())

Process ancestry graph

event_id=1 | table(process_guid, parent_process_guid) | graph(child=process_guid, parent=parent_process_guid)

Trace a process tree from a specific process

event_id=1
| bfs(child=process_guid, parent=parent_process_guid, start="{63047898-81ee-6860-5202-000000002502}")
| graph(child=process_guid, parent=parent_process_guid, labels=image)

Total event count as a single value

* | count() | singleval(label="Total Events")

Request volume over time by status

* | groupBy(status_code) | timechart(span=5m, function=count())

Detect patterns

chain(user, within=1h) {
  event_id=1 | image=/explorer/i;
  event_id=1 | image=/powershell/i;
}