In this installment of the Tips and Insights series, Fayyaz Rajpari explains how to use FireEye Helix to export data from your environment so that it may be used for offline analysis and review.
Hi. My name is Fayyaz Rajpari and I’m a Solutions Architect at FireEye. Today I’ll be showing you how to export data from your Helix environment so that you may use it for all offline analysis. Many times you’ll be up again seeing some information and you’ll want to export that into your own spreadsheet to use for your own analysis or bring into another tool of choice. So I’ve got some favorites set here already. I’m just going to build out a query and look for a APT activity group them by my Destination Country and then Source IP, Destination IP, and then the class where the data is actually coming from. So once that search results comes back I’ll have data that I can actually export out into a CSV file. We’re going to click on the table icon there to display these results in a table format. And what you’ll notice is I’ve got some activity going to destination country of Russian Federation, Canada, and Republic of Korea with my source IP destination IP and where that log was coming from in this situation there’s some connection logs and DNS logs and you’ll see here I could easily export that data. So there is one way to export the data if I click on that export button. I can then choose whatever I want to name it. I’ll just leave a default of search results dot CSV and choose a location. I will put it in Helix folder and click on save. And there is another way you can also do this if you don’t want specific details that I did the group by on or if you just want to get any type of raw specific raw or parsed events on the bottom. I can just highlight those specific ones here and just get the specific ones so say for example I just want these two. I’ll go back click on filters and you’ll get a selection here. I can either add to case or in this situation I actually want to just download the selected ones that I selected. Click on selected and then it’ll show me another pop up to actually save that down to my disk. So we’ll go ahead and actually see what this data looks like as well. So here it’s downloaded so go ahead and open it up and here’s the details. Destination Countries, Source IP, Destination IP, Intel Match and Count with the details shown in my Helix console in a spreadsheet. So now you exported of the data it will assist you in your investigation whether you’re online or not. Be sure to check back for more product tips and insights from FireEye.