socq
SOC query translator — daily hunting intents to KQL + AQL, with a built-in Windows event-ID catalogue
v1.3.1
Linux
Quick start
Install via jcli
jcli install socqDaily SOC intents → ready-to-paste queries
# Find a user's sign-ins for the last 7 days (KQL for Sentinel)
socq --target sentinel find-user --name "alice@example.com" --last-7d
# Same intent, Defender XDR dialect (Timestamp instead of TimeGenerated)
socq --target defender find-user --name "alice@example.com" --last-7d
# QRadar AQL, last 24 hours (default)
socq --target qradar find-user --name "alice"
# Failed logins above a threshold
socq --target sentinel failed-logins --user "alice" --threshold 10 --last-24h
# All connections from a host to a specific destination IP
socq --target defender host-connections --host WIN-001 --to-ip 1.2.3.4 --last-3d
# Hash IOC hunt across endpoint telemetry
socq --target defender ioc-hash --sha256 ab12cd34...
# Time window via explicit START/STOP
socq --target qradar ioc-ip --ip 10.0.0.5 --between "2026-06-01 00:00" "2026-06-04 12:00"Event-ID catalogue (built-in lookup)
# Look up a Windows Security Audit event by ID (410 entries, offline)
socq event winos 4624
socq event winos 4769
# Free-text search across summary + detail + category
socq event winos --search "pre-auth"
socq event winos --search "lockout"
# Hierarchical source slot — linux / cisco / siem catalogues land later
socq event linux 1100Port-number reference (security flag)
# Port lookup with colour-coded status (green SECURE / red INSECURE / …)
socq port 22
socq port 23
socq port 6379
# Free-text search across the curated catalogue
socq port --search wireguard
socq port --search smb
# Compact one-liner per row across the whole catalogue
socq port --listDiscovery + ergonomics
# List every recipe with the SIEMs it supports
socq list-recipes
# Per-recipe prerequisites + analyst notes + MITRE tags + doc citations
socq explain kerberos-anomaly
# Wrap the query with a 4-line header comment (target / recipe / time / source)
socq --target sentinel --header find-user --name alice --last-24h
# Copy directly to the clipboard via wl-copy / xclip / xsel
socq --target qradar --copy ioc-ip --ip 1.2.3.4
# Markdown export — wraps the emitted query in a fenced code block
# tagged `kql` / `sql` so it pastes cleanly into runbooks
socq --target sentinel --format md find-user --name alice --last-24h
socq --target defender --format md --header host-processes --host WIN-001Reference subcommands (new in v1.1)
# MITRE ATT&CK technique lookup — ~60 curated enterprise techniques
socq ttp T1059.001 # by T-code
socq ttp "powershell" # by name (case-insensitive substring)
# → tactic + summary + attack.mitre.org URL + list of matching recipes
# Investigation packs — ordered multi-recipe playbooks
socq pack # list available packs
socq pack bec # BEC walkthrough (find-user → risky-signins → mfa-fatigue → …)
socq pack ransomware # ransomware playbook
socq pack credential-theft # credential-theft hunt
socq pack insider-exfil # insider exfiltration scenario
socq pack initial-access # initial-access discovery
socq pack privilege-escalation
# KQL / AQL syntax quick-reference cards
socq syntax operators # core operator tables, per dialect
socq syntax time # time-window patterns
socq syntax aggregation # summarize / group-by recipesWhy socq
- Deterministic. Template-driven emitters, not an LLM. Same input → same output, every time. Inspectable, reviewable, auditable.
- Schema-cited. Each recipe carries the official Microsoft Learn (KQL) / IBM Docs (AQL) URL backing every column name — one command surfaces the source.
- Gap-honest. Where a target can't faithfully express a recipe (Kerberos 4768/4769 on Defender XDR; DNS on QRadar without a DSM), the tool refuses with a clear explanation instead of emitting a silently-wrong query.
- Time vocabulary that matches the SOC clock.
--last-hour/--last-24h/--last-3d/--last-7d(alias--last-week) /--last-30d/--last-6m, plus--between START STOPand--since X. Renders correctly per dialect:TimeGenerated >= ago(24h),Timestamp >= ago(24h),LAST 24 HOURS. - Hierarchical event database.
socq event <source> <id>ships with the Microsoft Windows Security Audit catalogue (410 events);linux/cisco/siemare stub source slots awaiting future drops. - Zero runtime dependencies. Single Rust binary. Same suite installer (jcli) as the rest of cli.johlem.net.
Recipe catalogue
| Recipe | Sentinel | Defender | QRadar | What it answers |
|---|---|---|---|---|
find-user | ✓ | ✓ | ✓ | Sign-ins / activity for a username |
failed-logins | ✓ | ✓ | ✓ | Failed sign-ins above a threshold |
new-user | ✓ | — | ✓ | Account creation events |
privilege-grant | ✓ | — | ✓ | Role / admin group changes |
risky-signins | ✓ | — | — | Entra ID Protection risk detections |
host-processes | ✓ | ✓ | ✓ | 4688 / DeviceProcessEvents |
host-connections | ✓ | ✓ | ✓ | Outbound connections from a host |
dns-to-domain | ✓ | ✓ | ✓ | DNS queries to a domain |
host-file-writes | ✓ | ✓ | ✓ | 4663 / Sysmon 11 / DeviceFileEvents |
host-logons | ✓ | ✓ | ✓ | 4624 / 4625 / DeviceLogonEvents |
alerts-by-severity | ✓ | ✓ | ✓ | Native alerts / offenses |
email-by-sender | ✓ | ✓ | ✓ | Email delivery events |
ioc-hash | ✓ | ✓ | ✓ | SHA-256 / SHA-1 / MD5 IOC |
ioc-ip | ✓ | ✓ | ✓ | IP IOC across endpoints + flows |
ioc-domain | ✓ | ✓ | ✓ | Domain / URL IOC |
rdp-sources | ✓ | ✓ | ✓ | RDP source IPs (logon type 10) |
smb-anomaly | — | ✓ | ✓ | SMB (445 / 139) traffic |
kerberos-anomaly | ✓ | — | ✓ | 4768 / 4769 ticket events |
legacy-auth | ✓ | — | — | Basic / legacy auth sign-ins |
cloud-app-activity | ✓ | ✓ | ✓ | CloudAppEvents by user / app |
| v1.1 — 8 new hunting recipes: | ||||
oauth-consent | ✓ | ✓ | — | OAuth consent grants (consent-phishing). T1528, T1098.003 |
inbox-rules | ✓ | ✓ | — | New / modified inbox rules — BEC tradecraft. T1564.008, T1114.003 |
mail-forwarding | ✓ | ✓ | — | Set-Mailbox with ForwardingSmtpAddress / ForwardingAddress. T1114.003, T1098.002 |
encoded-powershell | — | ✓ | ✓ | PowerShell -EncodedCommand / -enc invocations. T1059.001, T1027 |
lolbin-exec | — | ✓ | ✓ | Curated LOLBin process list (certutil, mshta, rundll32, regsvr32, …). T1218, T1059, T1140 |
pim-role-activation | ✓ | — | — | Entra PIM just-in-time admin activations. T1078.004, T1098.003 |
conditional-access-change | ✓ | — | — | Entra CA policy create / update / delete. T1556, T1484.002 |
mfa-fatigue | ✓ | — | — | Repeated MFA challenges within 15 min followed by a success (push-bombing). T1621, T1110.004 |
Investigation packs
Memo-style ordered playbooks — each step picks a recipe with a one-line rationale, in the order an on-call analyst typically runs them. Recipe slugs are compile-time-checked against the catalogue so a renamed recipe never silently breaks a pack.
| Pack | Scenario |
|---|---|
bec | Business Email Compromise — mailbox compromise, fraudulent invoice, unexpected forwarding |
ransomware | EDR fires on encryption activity, or user reports .encrypted files / ransom note |
credential-theft | Risky sign-in, password-spray hit, or stolen-creds tip-off |
insider-exfil | HR notice of departure + suspicion of data-theft staging |
initial-access | First-touch discovery — phishing link clicked, exposed-RDP brute force, etc. |
privilege-escalation | Suspected lateral movement / admin-group abuse / PIM tampering |
Reference subcommands
socq ttp <T-code|name>— MITRE ATT&CK lookup against ~60 curated enterprise techniques. Returns the canonical name, tactic, one-line summary, theattack.mitre.orgURL, and every recipe that lists this technique in its MITRE tag set.socq pack <slug>— render an investigation pack to the terminal as a checklist with per-step "why this step" lines.socq syntax <topic>— KQL and AQL quick-reference cards. Operators, where-predicates, string / time / aggregation functions, paste-ready patterns. Sourced from Microsoft Learn and IBM Ariel docs.--format md— global markdown export.explainrenders headings + bullet lists; emitted queries wrap in a fenced code block with the dialect tag (kql/sql) so they paste clean into runbooks, Notion, or GitHub.