Sample Aurora Focus EQL queries

Query DNS lookups for a specified URL:

CODE

network where dns.questions.question_name == "<URL>"

network where dns.questions.question_name == "<URL>"

Query a specified WMI namespace:

CODE

application where event.subcategory == "wmi" and wmi_trace.namespace == "<namespace>"

application where event.subcategory == "wmi" and wmi_trace.namespace == "<namespace>"

Query files with any of the specified SHA256 values:

CODE

file where file.sha256 in ("<value>", "<value>", "<value>")

file where file.sha256 in ("<value>", "<value>", "<value>")

Query processes with the specified process name:

CODE

process where process.name == "<name>"

process where process.name == "<name>"

Query processes where the command line contains a specified string:

CODE

process where process.command_line like "<string>"

process where process.command_line like "<string>"

Query information about network connections to a specified IP address on a specified port:

CODE

network where network.destination.ip_address == "<IP>" and network.destination.port == "<port>"

network where network.destination.ip_address == "<IP>" and network.destination.port == "<port>"

Aurora Endpoint Security