While performing a threat hunt in your environment, you decide to identify rare occurrences of user agent strings over the past 30 days. Which query will highlight those results using CQL?
Identifying "rare occurrences" is a core technique in Hunting Analytics known as Least Frequency Analysis (LFA) . In a typical enterprise, standard web browsers and legitimate system services will generate millions of events with common UserAgentStrings . Adversaries, however, often utilize custom tools, scripts (like Python or PowerShell), or specialized Command and Control (C2) agents that leave behind unique or highly infrequent user agent signatures.
The query in Option C is the correct CrowdStrike Query Language (CQL) syntax to surface these outliers. The groupBy(UserAgentString, ...) function aggregates all events by their unique user agent. By including count() within the function, the query engine calculates exactly how many times each string has appeared over the specified 30-day window. The collect() function is then used to retain the investigative context—such as the ComputerName and UserName—associated with those strings without splitting the count. Finally, the query pipes the results into sort(_count, order=asc, limit=10). This critical sorting step ensures that the strings with the lowest counts (the "rare" ones) are pushed to the top of the list. This methodology allows a hunter to quickly bypass the "noise" of legitimate traffic and focus on potentially unauthorized tools or non-standard browser versions that could indicate a beachhead or data exfiltration activity.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit