Helix: UI Features to Enhance Your Experience

Version 16

    Helix is a very powerful Security Operations Platform that fits various profiles of the SOC team. There are also some small features in Helix that can truly make the experience absolutely great. This document explains these UI features.



    Narrow the Beam


    TimeWrinckle is very useful to focus the investigation around an alert, for example, 5 minutes before or after a specific event or alert:



    Querying Alerts


    Alerts create meta-events that can be queried for dashboarding or hunting.

    class=alerts | table [id, risk, message]



    Lifespan of Alerts


    Alerts are indexed as all events BUT they are stored longer than indexed events. Using the start keyword can override the 16 days-search/1 week-dashboard search timespan. As a dashboard widget, alert numbers over 2 months can be compared (monthly trends) for example:

    class=alerts start:"2 months ago"




    Killchain Mapping


    Helix also decorates alerts with a killchain stage.

    class=alerts | groupby kill_chain



    Querying Nested JSON


    Some fields contain JSON data. Nested keys can be queried with a dot notation.

    class=alerts | table [first_event_at,risk,message,metaclasses,alert_type_details.detail.class,origin,alert_type_details.summary,alert_type_details.source,alert_type_details.destination]



    Context and Other Events of Interest


    There are lots of rules that have alerting disabled, but events are still decorated with the rule name. They are tagged with a field called detect_rulenames which can be a source of great contextual data and lead you in your hunt for evil. Notice that it is not possible to distinguish events that have alerts enabled or not from the query.

    has:detect_rulenames | groupby detect_rulenames



    Also, don't forget analytics are also great events to review for behaviors out of the norm.

    class=analytics | groupby application



    Additional Resources


    To learn more about the Helix platform, see the following resources: