Merge pull request #34 from ByteRay-Labs/submission/a43cd0f4-e0bc-47aa-bc6c-e7e005389c3e

New Query: Identify Shadow SaaS

Author: dweissbacher

queries/identify_shadow_saas.yml

@@ -0,0 +1,38 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Identify Shadow SaaS
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1526
+
+# Description of what the query does and its purpose.
+description: |
+  This query identifies SaaS services supported by Falcon Shield and helps detect which SaaS products are actively used within the environment.
+
+# The author or team that created the query.
+author: ByteRay GmbH
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Endpoint
+
+# The CrowdStrike modules required to run this query.
+cs_required_modules:
+  - Insight
+
+# Tags for filtering and categorization.
+tags:
+  - Monitoring
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  #event_simpleName=DnsRequest DomainName=*
+  | match(file="shadow-saas.csv", field=[DomainName], column=[Domains], strict=true,mode=glob)
+  | Category=?Category
+  | Vendor=?Vendor
+  | Application=?Application
+  | groupBy(ComputerName, Vendor, Application, Category)
+