PS Product SecurityKnowledge Base

SIEM Query Pack

This snippet pack is a quick landing page for sample detection queries and should be paired with the deeper detection strategy pages.

Best use

  • start an investigation quickly;
  • turn a hypothesis into a first-pass query;
  • adapt the pattern to your real field names and log schema.

Reminder

A good SIEM query is only useful when the surrounding telemetry has route, actor, tenant, object, and action context.