In this installment of the Tips and Insights series, Nate Hancock uses FireEye Helix to illustrate how correct parsing of raw message data from the NX log can lead to successful searches within your environment.
Hi my name is Nate Hancock with FireEye Customer Support and this video is Event Data and Parsing. This video will explain how correct parsing can lead to successful searches. When event data comes into the Helix instance the data comes in as raw message data. It’s then compressed, encrypted and sent to the Helix instance via a service called NX log. This NX log service also exists on a receiver in your Helix instance which then decrypts and decompresses the event data. And then parses as the data, passes it through a series of parsing engines. And this is the outcome. You can see that this is much easier to understand and there’s a lot more that we can do with the parsed data. Advantages of parsed data include it can be searched with the full services of MQL or the Mandiant Query Language. We can pivot with the data. It also includes more accurate event data for matching Intel indicators. To pivot all we have to do is choose one of these options. In this case we’ll use a trigger we can left click and we can either do a new search or add to the existing search. And then we click search. And we’ve just created a new search from our previous existing search. We can search raw message data. It still has indexed just like the rest of the data. It can be searched using a string search. So for example, if I come up here and just type FireEye we can see that it will still search the raw message data for FireEye. And it can match against intel indicators but there is a much higher margin of error. That does it for Event Data and Parsing. Now you can see why correct parsing is essential for successful searching. Please watch for more tips and tricks videos from FireEye.