In this installment of the Tips and Insights series, Fayyaz Rajpari shares a tip on how to use FireEye Helix to search for data in your system that is beyond the normal indexing period of 16 days.
Hi my name is Fayyaz Rajpari and I am Solutions Architect at FireEye. In this video I’d like to share a tip about how to search for data older than the 16 days to find evil that’s been lurking in your environment for much longer. An archive search in Helix basically means that you want to run the search beyond the normal indexing that Helix with threat analytics is doing for you which is typically 16 days. In order for you to do an archive search what you must do is select the index search and drop down to archive search. And from there you can start hunting. So saying the situation I’m hunting for some evil in or just looking for some activity that occurred in my environment but was way over the normal 16 day time frame. So we’re going to look for MS Windows event logs back from May to May 7th. So we will do Windows Event and you could tell we could change the date here I’ve changed it to May 1 through May 7th. So we’re going beyond the normal 16 day indexing capabilities into archive searches which is getting data from the Amazon S3 Buckets and then representing that data back. So we’ll go ahead and click on t hat search magnifying glass icon. And the time is getting estimated right now. Many times that time will jump up in this situation is 21 minutes. So we’ll go ahead and run that search. O nce a search is created you can go back and check the status on the search from clicking on Explore and going into search jobs. And what you’ll notice is I’ve got a couple of them running here. And I’ve already have one that’s completed. Take a look at this one and it will give me the results of what that looks like.
So basically you’ve got the archive search for the Windows event logs and have grouped them by service and this is specifically showing you from May 1 through May 7th. So that concludes our demonstration of archive search and how you can look past the default 16 days of index. insights from FireEye.