Hello Reader,

I've been exploring an effective new use case with various AI models: using them to generate queries across different Endpoint Detection and Response (EDR) platforms. Depending on the client, I regularly switch between multiple EDR solutions, including CrowdStrike Falcon, SentinelOne, Carbon Black Cloud, Palo Alto Cortex XDR, and Microsoft Defender. While I typically know exactly what I want to search for, remembering each platform’s specific syntax (and unique tables—thanks, Microsoft!) can be challenging without a handy cheat sheet.

To simplify things, here are straightforward prompts and queries to find a specific hash using ChatGPT 4.5 for various EDR platforms:

1. CrowdStrike Falcon

Prompt:

"Write a query for CrowdStrike Falcon to search all hosts for a specific hash."

Query:

event_simpleName=ProcessRollup2 SHA256HashData="<your_hash_here>"

2. SentinelOne

Prompt:

"Write a query for SentinelOne to search hosts for a specific hash."

Queries:

ProcessHash = "<your_hash_here>"

or

SHA256 = "<sha256_hash_here>"

3. Carbon Black Cloud

Prompt:

"Write a query for Carbon Black Cloud to search all hosts for a specific hash."

Query:

SELECT path, hash.sha256, hash.md5, hash.sha1
FROM file
WHERE hash.sha256 = '<your_sha256_here>'
   OR hash.md5 = '<your_md5_here>'
   OR hash.sha1 = '<your_sha1_here>';

4. Palo Alto Cortex XDR

Prompt:

"Write a query for Palo Alto XDR to find a hash across all hosts."

Query:

dataset = xdr_data
| filter action_file_sha256 = "<your_sha256_hash_here>"

5. Microsoft Defender for Endpoint

Prompt:

"Write a query for Microsoft Defender to search hosts for a specific hash."

Queries:

DeviceFileEvents
| where SHA256 == "<your_sha256_hash_here>"

For processes:

DeviceProcessEvents
| where SHA256 == "<your_sha256_hash_here>"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256

Next time you're stuck recalling the exact syntax but know precisely what you're looking for, just ask your friendly neighborhood AI assistant for a quick reminder!