Helix Video - Understanding Unknown Event Data

Version 6


    Video Transcript:


    ... this video is Understanding Unknown Event Data. We've had several cases opened recently regarding unknown event data and this video will explain why unknown event data is not necessarily a bad thing. So the first thing we're going to do when we're looking for event data is we need to take a look at all of the data as a whole. So I'm going to do a group by class which is going to show me all of the event data. This is correlated for the past hour and it's going to group that by the individual classes. We'll give that a minute to run and we can see over here all of the different classes. And if we scroll down far enough we're going to find unknown event data. Unknown event data shows up in every instance. It's not uncommon and it's usually nothing to worry about. In this case we have 662 unknown events. Now when we look at those individually 662 unknown events in the past hour may seem like a lot but when we compare that to the 895,000 events that we've seen in the past hour that's a very small percentage. If we want to take a closer look at just the unknown event data I can do class equals unknown. And that will give us just the unknown event data. And you can see this is the parsed portion of the unknown event data and doesn't give us very much information at all. If I change this to raw and parsed now I can see the raw message data and the parsed message data and make a better determination as to exactly what that unknown event data is. And from here, If necessary, we can submit a request to have additional parsing rules created and get that unknown data parsed. And that does it for this video on Understanding Unknown Event Data. And now looking at low percentages you can see why unknown event data is not necessarily a bad thing. Please watch for more tips and tricks videos from FireEye.