Helix: UI Features to Enhance Your Experience

Version 16

    Helix is a very powerful Security Operations Platform that fits various profiles of the SOC team. There are also some small features in Helix that can truly make the experience absolutely great. This document explains these UI features.

     

     

    Narrow the Beam

     

    TimeWrinckle is very useful to focus the investigation around an alert, for example, 5 minutes before or after a specific event or alert:

    DOC-7132_NarrowBeam.jpg

     

    Querying Alerts

     

    Alerts create meta-events that can be queried for dashboarding or hunting.

    class=alerts | table [id, risk, message]

    DOC-7132_QueryingAlerts.jpg

     

    Lifespan of Alerts

     

    Alerts are indexed as all events BUT they are stored longer than indexed events. Using the start keyword can override the 16 days-search/1 week-dashboard search timespan. As a dashboard widget, alert numbers over 2 months can be compared (monthly trends) for example:

    class=alerts start:"2 months ago"

    DOC-7132_LifespanOfAlerts_1.jpg

    DOC-7132_LifespanOfAlerts_2.jpg

     

    Killchain Mapping

     

    Helix also decorates alerts with a killchain stage.

    class=alerts | groupby kill_chain

    DOC-7132_KillchainMapping.jpg

     

    Querying Nested JSON

     

    Some fields contain JSON data. Nested keys can be queried with a dot notation.

    class=alerts | table [first_event_at,risk,message,metaclasses,alert_type_details.detail.class,origin,alert_type_details.summary,alert_type_details.source,alert_type_details.destination]

    DOC-7132_QueryingNestedJSON.jpg

     

    Context and Other Events of Interest

     

    There are lots of rules that have alerting disabled, but events are still decorated with the rule name. They are tagged with a field called detect_rulenames which can be a source of great contextual data and lead you in your hunt for evil. Notice that it is not possible to distinguish events that have alerts enabled or not from the query.

    has:detect_rulenames | groupby detect_rulenames

    DOC-7132_ContextAndOther_2.jpg

     

    Also, don't forget analytics are also great events to review for behaviors out of the norm.

    class=analytics | groupby application

    DOC-7132_ContextAndOther_1.jpg

     

    Additional Resources

     

    To learn more about the Helix platform, see the following resources: