In this installment of the Tips and Insights series, Bryon Wolcott demonstrates Helix’s subsearch feature, which allows you to run a query and then use those results in another query.
Hi my name is Bryon Wolcott. I’m a Senior Security Analyst at FireEye. Today I’m going to use a function within Helix called Subsearch. Sub search allows you to run a query and then use those results in another query. Sub search is going to perform two searches in a row with only one query. This is going to allow you to correlate information from one search with another. The power behind this is that if you get a lot of results from one search you won’t have to go through and save those and then go search them all individually you’ll be able to take those results put them into a new query and get the results from that back. So let’s say we have a domain that we’re interested in. This case will say the domain is uanews.org.
So we’ll search that. Now we want to see who’s visited that. So we’re going to group by source IPV4 Before we go ahead and search this, cut this down to 24 hours.
So in this case we’re interested about this specific domain and originally you could search it and look at all the different IP addresses that have interacted with this domain. Now if you want to see what other sites have been to you’d have to take each one of these IP addresses individually and research them again but with subsearch you don’t have to do that. It’s going to take care of it for you.
So let’s cut this original query down and say we wanted to look just for HTTP proxy events and we want to pull the source IPV4 field from this original query. Let’s enclose this original query in parentheses and we’re going to say we want the source IPV4 to match any of this subsearch and then we’re going to group it all by the domain. So this will let us know what other domains anyone who has visited our domain in question has also visited. This is going to tell you a much larger story about the traffic and what sites they users are going to. So we can see that anyone who might have been to this domain also went to these domains which is really powerful information to tell the whole story.
That gives you an overview of how you can use subsearch to find correlations between queries. Stay tuned for more FireEye Tips and Insights.