LOG Scale Training - CQL 201: Designing and Optimizing CQL Queries

In this course, you will learn how to: 

• Analyze and interpret raw log data and understand how it's parsed into normalized formats within the CrowdStrike Falcon platform and CrowdStrike Falcon® Next-Gen SIEM
• Construct and execute effective CQL queries to extract specific security data from various sources
• Apply advanced query techniques, including aggregation, joins, and data tables for complex investigations
• Create compelling data visualizations and reports for different audiences and use cases
• Identify and resolve query performance issues to optimize investigation efficiency
• Design and implement parameterized queries for reusable and flexible security analysis
• Leverage pre-built queries and save custom queries for future investigations

•  CQL 101: CrowdStrike Query Language Fundamentals 1
• CQL 102: CrowdStrike Query Language Fundamentals 2
• FALCON 101: Falcon Platform Essentials

• Broadband internet connection, web browser, microphone, and speakers. Chrome is a preferred browser
• Dual monitors and a headset are recommended

Associated materials may be accessed from CrowdStrike University on the day of class.

Interpreting Event Data and Raw Logs 

• Analyze raw log samples to identify key fields before and after CrowdStrike Parsing Standard (CPS) normalization
• Map original log fields to their normalized counterparts in the Falcon platform and Falcon Next-Gen SIEM
• Distinguish between parsed and unparsed log elements using @rawstring
• Troubleshoot parsing issues by comparing raw logs against processed versions
• Categorize different event types and identify common fields across the Falcon platform 

• Navigate and utilize the event data dictionary for field definitions and relationships, 

  CQL Components and Syntax

•  Analyze existing CQL queries to determine their intended functions and scope
• Identify basic CQL syntax elements, operators, and filtering expressions
• Recognize proper field reference syntax for different data types
• Apply Boolean operators and query continuation syntax correctly

• Distinguish between different CQL operators and their specific functions CrowdStrike University CQL 201 

  Build CQL Queries for Falcon 

• Construct targeted queries to extract process execution, network connection, and authentication data
• Build multi-source queries that combine data from various event types
• Apply filtering and sorting techniques using Boolean operators and field-specific conditions
• Create time-range specific queries for focused investigations
• Implement exclusion filters and value comparison operators effectively 

• Follow query writing best practices including proper order of operations and regex usage 

  Enriching and Extending Queries 

• Apply aggregation functions including count(), groupBy(), and statistical functions for data summarization
• Implement timestamp manipulation and conversion techniques for time-based analysis
• Create joins between related event types using various methodologies
• Utilize defineTable() functionality for complex data manipulation and optimization » Build time-based aggregations and correlations for trend analysis 

• Design multi-level joins and temporal correlations for advanced investigations 

  Data Visualization 

• Transform query results into timeline views and executive summaries
• Structure data outputs for incident response handoffs with standardized formats
• Select and configure appropriate visualization types based on security data characteristics
• Create interactive dashboards for dynamic security analysis 

• Format data for various stakeholder audiences and use cases 

  Parameterized CQL and Utilizing Pre-built Queries

•  Design and implement various parameter types, including text, date/time, and multi-select options
• Create dependent parameters that respond dynamically to other selections
• Build reusable parameterized queries for common security investigations
• Load, modify, and optimize pre-built queries for specific investigation needs
• Establish effective query management practices, including naming conventions and organization