In this installment of the Tips and Insights series, Nate Hancock shares ways to find malware on a network using MQL (Mandiant Query Language), how to search for event data in Helix and how to customize those searches using MQL.
Hi my name is Nate Hancock and this video is MQL Intro. In this video you’ll learn how to find malware on your network. MQL stands for Mandiant Query Language and that’s the query language used to search event data in Helix instances. Searches can take on many different forms and they can be highly customized using this query language. So for example, if I want to do a search for domain equals Google.com. I can see all of the different search results for Google.com in the past hour. This is an example of a search. Other search fields could be metal fields such as unique device types like a Cisco ASA or a firewall NX appliance. We could search by meta class. Meta classes can include firewalls other types of intrusion protection systems. The next component we’re going to talk about is a directive. A directive limits the scope or can be used to change the scope of the search. So for example, if I come in here if I can add to the search start colon 4 hours ago that would tell it the start 4 hours ago but maybe I don’t want it to run until right now so I do an end colon 1 hour ago and hit enter. Now it’s going to give me all of the search results for Google.com during that 1 hour. The last component we’re going to talk about is a transform. Transform is a way of transforming the output of the search results. In this case I’m going to do what’s called a group by modifier and that’s going to give us we’re going to group by class. Now it’s going to give us the search results for the domain Google.com during the time frame from four hours ago to 1 hour ago. So during that three hour block and now we’re going to look at all of the event data broken down by the individual classes. That does it for the MQL Intro video. Now you can start hunting malware in your own network. Please watch for more tips and tricks from FireEye.