In this installment of the Tips and Insights series, Chris Schreiber talks about how searching within the Helix environment to look at alerts over a longer period of time and dive deeper into the details of an alert using the Helix console.
Hi, I’m Chris Schreiber, and I’m a solutions architect with Fire Eyes Global Pursuit Specialist Team. Today we’re gonna talk about how you can actually search within the helix environment to look at alerts over a longer period of time. So rather than just using the gooey, how can you actually dive deeper into the details? So when you first log into the helix console, you see a summary of recent alerts that have popped up within your environment. Let’s go ahead and drill into the alert screen, and you see this gives you a summary of how Maney alerts have popped up over time. By severity and down below, you can actually see the individual alerts themselves. Now what happens if you have a manager that wants you to give summaries about what types of alerts have been happening in your environment? Or you need to go find a specific alert? There is a little bit of ability right within this screen to do searching and filtering so you can filter based on criticality of the alert. You can search based on specific names right in the alert name itself. So, for instance, if you’re only looking for alerts that were generated from an Intel match on an F Q. D N name. You could actually filter right there in the screen to see the FDN criteria. And when you most over, you can see which ones you can actually filter right with this interface. So say, for instance, you’re only interested in this particular one right here that says a o l daily dot com. Let’s go ahead and filter on that, and you see that it cuts down to a much smaller alert list with 29 alerts. Now what happens if your manager comes to you and says, I want a list of every I P address that communicated with a o. L daily dot com? Uh, that generated alert over the last 12 months. How are you gonna do that by default? You usually only see about 16 days worth of data in Helix, but one of the great things you can do is actually search all alerts in the environment going back throughout the whole history of your instance. So there’s an actual class of data called alerts, which you can pull up just like you would any other search within Threat Analytics and you’ll see that you have a lot of detail here on Jason format called alert type details. This is where you can really start getting into details of the alert. So one of the things that you can pull up is Jason format, where you can actually extend that and pull out individual elements and do a search on that. So let’s do that here.
Now you notice. Initially, nothing came up even though we know we just saw a o L daily in the other screen, and that’s because of the time window. So initially it was just searching in the last 24 hours, we can expand that out to the past week.
And here you see all the hits that actually came up with a O. L daily calm now, remember, your boss wanted you to pull up a longer duration. One of the cool things with alerts is there maintained permanently rather than just for 16 days. So you can use a filter to actually go back further in time. You can say 12 months ago and that will actually search through your entire history of alerts for all matches. That particular domain name you see, Now there’s 184 matches that come up. Then to get your boss’s report where he wants to see what I p addresses were actually hit on. You can do a group by and here you see that over the last 12 months, there was only one i p address communicating with that particular domain. And you can even give him a nice little chart showing the history of that over time. So you see, this fits. Ah, very typical beacon pattern. There was a gap where there are no hit. So maybe that computer was off your network for that period in time. All with a real quick, simple search. So it gives you an overview of how you can search within your alerts, not just using the gooey to get more details and produce management summaries. tricks. Mhm