When dealing with widespread malware, such as a persistent scheduled task, a hunter must be able to aggregate vast amounts of telemetry into a manageable list of impacted assets. Within the CrowdStrike Query Language (CQL) used in LogScale, the groupBy() function is the primary tool for data aggregation and deduplication. While functions like table() simply format the output and stats is often used for mathematical calculations, groupBy() allows the analyst to collapse thousands of individual "ServiceStarted" or "ScheduledTaskRegistered" events into a distinct list based on a specific field, such as aid (Agent ID) or ComputerName.

For this specific scenario, a hunter would query for the specific task name or the command-line arguments associated with the 5-minute execution interval and then pipe those results into | groupBy([aid]). This effectively filters out the noise of repeated executions from the same machine, presenting the hunter with a clear, unique count of every host that has been compromised. This efficiency is vital during the "Scope" phase of an investigation. By utilizing groupBy(), an analyst can quickly determine if the infection is localized to a single department or has spread globally across the enterprise, allowing for a prioritized remediation strategy using Bulk RTR or other containment measures.