In this installment of the Tips and Insights series, Steve Woodward compares the functionality and data return of the Helix Cloud Collector to that of the new Evidence Collector feature.
Hello, I’m Steve Woodward, Channel Systems Engineer at FireEye. I’d like to compare Helix cloud collector to the new evidence collector equivalent. So, here we are logged in to Helix and we’re at the summary dashboard. First thing I’d like to point out is go down and look at our event classes for the past 24 hours. Since we’re looking at the contrast between the cloud collector and the evidence collector. They’re going to show different classes anything that had bro_, Those are from the cloud collector. This is an environment where I’ve had both of them running overlapping at the same time just to show the contrast. The evidence collector, the events are going to show up as fireeye_nx. Each one is going to be a event type and the next thing we’re going to do is we’re going to review classes verses metaclass. So when we look at something like bro_dns and then we’re going to have another category it’s going to be DNS from the fireeye_nx. Those are both classes or are part of classes and those are coming in and they’re the same thing DNS and actually often the same events if you’re seeing them in both lanes. Those are going to be normalized into a metaclass. And that’s important because that’s what is run against the rules engine. And that’s why switching from one to the other, even though the class changes, the metaclass stays the same. So there’s no actual change in functionality. Okay so let’s look at, with that in mind, let’s go up and search and we’re going to go and search on group_by class. Let’s take a look at what our classes are.
So this is another way of looking at what we were looking at at the review but if we wanted to look beyond the 24 hours we could do that here we could set a timeframe that’s larger or shorter whereas that is different. So here we have our classes. In my environment my number one class is fireeye_nx on and then the bro and then some miscellaneous things. What we’re going to do is compare that and then we’re going to drill into and find the DNS that’s buried in this fireeye_nx. Our next one is we’re going to do here class fireeye_nx. Let’s take a look at that and here we see the different event types that the evidence collector on nx is logging and DNS is the largest one here. But these are very similar data that we were seeing with bro_dns and so forth. Let’s focus in on just DNS. So list DNS classes. So now we’re doing metaclass DNS so we talked about class versus metaclass. We’re doing a metaclass DNS and take a look at the different classes within that metaclass. So this could be multiple different classes where we have FireEye and bro.
So here we have just two and we’re looking at the same data different engines doing that. And then lastly we’re going to go look at an example of a particular domain and look at the details a little bit. So in this case I’ve gone to ntp.org and we’ll take a look at it. Some events I generated earlier today and here we see we’ve got several events and here we have the fireeye_nx with the bro_dns. If we look at our time stamps we see they’re very similar. If we look at the details and I’m looking at default tables I’m going to look at, we have a custom table for DNS queries which is much more appropriate here. So let’s take a look at it from that perspective. And now we can see some of the details specialized formatted so we can see that in ntp, we have an “a” record request, an ‘aaa’ record request. Here we see 184.108.40.206. This is part of a bro_dns and also includes the second one and then we happen to see that one of the differences between the evidence collector on nx, it’s a little more chatty. Same information but in two different events. Thanks for spending time learning about our new evidence collector feature. Stay tuned for more FireEye Tips and Insights.