You are performing an advanced search of all detections in the last 90 days in...

Within the LogScale-powered Advanced Event Search , the groupBy() function is the primary analytical tool for aggregating high-volume data into meaningful summaries. When dealing with the #repo=detections repository, an analyst is often overwhelmed by the sheer number of individual alerts. By grouping the results by FileName and CommandLine, the hunter can effectively "stack" similar malicious activities, allowing them to identify widespread patterns—such as a specific script being executed across hundreds of hosts—rather than triaging each event in isolation.

The function=collect([ComputerName]) argument is particularly valuable in Hunting Analytics as it creates a list of all unique endpoints associated with each specific process/command-line combination. This provides an immediate view of the "blast radius" for a particular detection. While the stats function is often used for mathematical calculations like counting or averaging, groupBy is the standard and most efficient syntax for organizational clustering in the Falcon environment. Using the limit=max parameter ensures that the query doesn't truncate the results, providing a complete picture of the activity across the 90-day window. This methodology transforms a raw list of detections into structured threat intelligence, enabling the hunter to prioritize remediation for the most prevalent or geographically widespread threats first.