The following query show IoC for XSS and SQLi. The complete query is wrapped up since this site is not accepting it. The query should also include “OR javascript”, followed by “:alert”.

index=* sourcetype="ms:iis:default" NOT ("cookie.js" OR "script.js" OR "cookie-min.js" OR "RESET-COOKIE" OR "form.user-info-from-cookie") AND (“&#” OR "script>" OR "script%3E" OR "`" OR "cookie" OR alert\( OR "</" OR "@@" OR "%40%40" OR "<scr" OR "%3Cscr" OR "<" OR "%3C%2F" OR "..%2F" OR ".." OR "%2E%2E") uri_query!="-" uri_query!="utm_*"| table _time, clientip, status, uri_query | sort by _time desc