Helix Video - Searching Alerts

Version 1



    Video Transcript:


    ...Today we're going to talk about how you can actually search within the Helix environment to look at alerts over a longer period of time. So rather than just using the GUI, how can you actually dive deeper into the details. So when you first log into the Helix console you see a summary of recent alerts that have popped up within your environment. Let's go ahead and drill into the alerts screen and you'll see this gives you a summary of how many alerts have popped up over time by severity and down below you can actually see the individual alerts themselves. Now what happens if you have a manager that wants you to give summaries about what types of alerts have been happening in your environment or you need to go find a specific alert. There is a little bit of ability right within this screen to do searching and filtering. So you can filter based on criticality of the alert. You can search based on specific names right in the alert name itself. So for instance if you're only looking for alerts that were generated from an intel match on an FQDN name you could actually filter right there in the screen to see the FQDN criteria. And when you mouse-over you can see which ones you can actually filter right with this interface. So say for instance you're only interested in this particular one right here that says aoldaily.com. Let'sgo ahead and filter on that. And you see that it cuts down to a much smaller alert list with 29 alerts. Now what happens if your manager comes to you and says I want a list of every IP address that communicated with aoldaily.com that generated an alert over the last 12 months. How are you going to do that? By default, you usually only see about 16 days worth of data and Helix. But one of the great things you can do is actually search all alerts in the environment going back through the whole history of your instance. So there's an actual class of data called Alerts. Which you can pull up just like you would any other search within threat analytics. And you'll see that you have a lot of detail here on JSON format called the alert type details. This is where you can really start getting into detail of the alert. So one of the things that you can pull up is JSON format where you can actually extend that and pull out individual elements and do a search on that. So let's do that here. Now you notice initially nothing came up even though we know we just saw aoldaily in the other screen. And that's because of the time window. So initially it was just searching in the last 24 hours. We can expand that out to the past week. And here you see all the hits that actually came up with aoldaily.com. Now remember your boss wanted you to pull up a longer duration. One of the cool things with alerts is they're maintained permanently rather than just for 16 days. So you can use a filter to actually go back further in time. You  can say 12 months ago and that will actually search through your entire history of alerts for all matches to that particular domain name. And you see now there's 184 matches that come up. Then to get your bosses report where he wants to see what IP addresses were actually hit on. You can do a "groupby" and here you see that over the last 12 months there is only one IP address communicating with that particular domain. And you can even give them a nice little chart showing the history of that over time. So you see this fits a very typical beacon pattern. There was a gap where there were no hits so maybe that computer was off your network for that period in time. All with a real quick simple search. So it gives you an overview of how you can search within your alerts not just using the GUI to get more details and produce management summaries. Stay tuned for more FireEye I product tips and tricks.