In the CrowdStrike Query Language (CQL) used within the LogScale-powered Advanced Event Search, the groupBy() function is the essential tool for data aggregation and summarization. As observed in the first image, Line 2 of the query (partially obscured) utilizes the function= parameter to define multiple aggregate calculations, such as count(aid, distinct=true) and count(aid). This syntax is the hallmark of a groupBy statement.

The results shown in the subsequent images display a table where each row is unique to a specific SHA256HashData . This indicates that the data has been grouped by that specific field to provide a summary of its activity across the environment. The groupBy function allows a hunter to take millions of individual process events and collapse them into a readable format that highlights uniqueEndpoints and totalExecutions per file hash.

This methodology is fundamental to Hunting Analytics , specifically for performing Least Frequency Analysis . By grouping by the hash and counting the unique endpoints, an analyst can quickly identify binaries that are running on only one or two systems—a common characteristic of targeted malware or custom hacking tools. While functions like table (Option C) are used to format the final display and eval (Option A) is used for field transformations, only groupBy provides the structural aggregation required to generate the multi-column statistical overview seen in the results.