Helix is a very powerful Security Operations Platform that fits various profiles of the SOC team. There are also some small features in Helix that can truly make the experience absolutely great. This document explains these UI features.
Narrow the Beam
TimeWrinckle is very useful to focus the investigation around an alert, for example, 5 minutes before or after a specific event or alert:
Alerts create meta-events that can be queried for dashboarding or hunting.
class=alerts | table [id, risk, message]
Lifespan of Alerts
Alerts are indexed as all events BUT they are stored longer than indexed events. Using the start keyword can override the 16 days-search/1 week-dashboard search timespan. As a dashboard widget, alert numbers over 2 months can be compared (monthly trends) for example:
class=alerts start:"2 months ago"
Helix also decorates alerts with a killchain stage.
class=alerts | groupby kill_chain
Querying Nested JSON
Some fields contain JSON data. Nested keys can be queried with a dot notation.
class=alerts | table [first_event_at,risk,message,metaclasses,alert_type_details.detail.class,origin,alert_type_details.summary,alert_type_details.source,alert_type_details.destination]
Context and Other Events of Interest
There are lots of rules that have alerting disabled, but events are still decorated with the rule name. They are tagged with a field called detect_rulenames which can be a source of great contextual data and lead you in your hunt for evil. Notice that it is not possible to distinguish events that have alerts enabled or not from the query.
has:detect_rulenames | groupby detect_rulenames
Also, don't forget analytics are also great events to review for behaviors out of the norm.
class=analytics | groupby application
To learn more about the Helix platform, see the following resources: