Skip to main content

Huntress SIEM Query Library

· 4 min read
tacticalBeard
tacticalBeard
Automation Enthusiast

If you're using Huntress Managed SIEM, you know the power of good queries — and the frustration of scattered, undocumented detection rules. I built the Huntress SIEM Library to solve that problem.

This is a community-focused repository for sharing, version-controlling, and collaborating on Huntress SIEM queries using ES|QL (Elastic Stack Query Language).

Why This Library Exists

When working with SIEM platforms, I kept running into the same issues:

  • Queries scattered across different documents
  • No version control or change tracking
  • Inconsistent formatting making queries hard to read
  • Missing context about what a query actually does

So I built a standardized library with a consistent format, clear documentation, and version control built in.

What's Inside

The library includes:

  • Detection queries for security threats and anomalies
  • Troubleshooting queries for investigating system issues
  • Standardized YAML format for consistency across all queries
  • Templates for creating and modifying your own queries
  • Documentation linking back to original sources and references
note

Some queries aren't directly security-focused but are useful for troubleshooting operational issues. Security isn't just about detecting threats — it's about understanding your environment.

Query Format

Every query in the library follows a standardized YAML structure:

title: Query Name Here
id: unique-identifier
status: stable | experimental | deprecated
description: >
  What this query does and why it's useful
author: Your Name
date: 2025-01-15
modified: 2025-01-20
references:
  - https://source-documentation.com
tags:
  - tag1
  - tag2
logsource:
  language: ES|QL
  platform: Huntress SIEM
  type: windows | linux | network
analyst_notes: >
  Additional context, known limitations, or usage tips
query: >
  FROM logs
  | WHERE 
      condition
  | KEEP
      fields you want to display
  | LIMIT 
      count

This format makes it easy to:

  • Search and filter queries by tags, platform, or status
  • Track changes over time with version control
  • Share knowledge with analyst notes and references
  • Reuse templates for creating new queries

Key Features

📝 Standardized Format

Every query follows the same structure, making it easy to read and understand at a glance.

🔄 Version Control

Built for Git from day one. Track changes, collaborate with others, and roll back if needed.

📚 Documentation

Each query includes references to source material, analyst notes, and usage context.

🎯 Readable Formatting

Queries are formatted for readability, not performance. Multi-line formatting with clear indentation makes complex queries easier to understand and modify.

Performance Note

The formatting prioritizes readability over query optimization. For production environments, you may want to condense queries — but start with readable versions that you can actually maintain.

Tech Stack

  • ES|QL (Elastic Stack Query Language)
  • Huntress Managed SIEM
  • YAML for query metadata and structure

Getting Started

Just Using the Queries

If you just want to use the queries without contributing back:

  1. Clone the repository:

    git clone https://github.com/tacticalBeard-dev/huntress_siem_library.git

  2. Browse the queries in the repository

  3. Copy queries you need into your Huntress SIEM

  4. Modify as needed for your environment

Contributing to the Library

If you want to add your own queries or improve existing ones:

  1. Fork the repository on GitHub

    • Click the "Fork" button on the repository page
    • This creates your own copy you can modify

  2. Clone your fork:

    git clone https://github.com/YOUR-USERNAME/huntress_siem_library.git
    cd huntress_siem_library

  3. Add your queries using the YAML template

  4. Test your queries in your Huntress SIEM environment

  5. Commit and push your changes:

    git add .
    git commit -m "Add query for [description]"
    git push origin main

  6. Submit a pull request back to the main repository

Contributing

This is a community project! If you've built useful Huntress SIEM queries, share them:

  1. Fork the repository
  2. Add your query using the YAML template
  3. Test it in your environment
  4. Submit a pull request

Resources

Current Status: Work in progress — actively adding new queries and refining the format.

Check out the repository on GitHub and contribute your own queries!