Searching and Pivoting

In this installment of the Tips and Insights series, Nate Hancock explains how to use FireEye Helix to build basic malware searches using the ‘groupby’ command and subsequently how to pivot off of that information to find sourceIPs.

Hi my name is Nate Hancock with FireEye Customer Support and this video is Building Basic Searches and Pivoting. This video will teach you how to begin searching for malware on your network. When building basic searches, one place that I really like to start is using the “groupby” command and in this case I’m going to ‘groupby” class. When you’re using “groupby” and especially when using “groupby” class you want to make sure that you limit the time frame limit the scope on this a little bit because these searches can be very very large. So when I do “groupby” class it’s going to display all of the event information during the past hour and it’s going to group that by the individual class. Now you can see over here in this column all of the different classes that this event data falls under. We can change this a little bit maybe instead of looking by class maybe we want to look at all of the different destination IP addresses that have downloaded event data in the past hour. We can group that by destination IPv4 so destination IP address using IP version 4. In this case it’s 433,000 events and here we grouped it by IP. Here are the different IP addresses and the number of events for each IP address. We can also search by a class instead of grouping by all of the classes maybe we just want to look by one specific class. To do that we do a class equals and then the class name. In this case we’re going to look at Windows events. So ms_windows_event. Again for the past hour these are all of the events that fall under that specific class. In this case 168 results. Maybe we want to look at all of the files that have been downloaded. To do that we can look at class=bro_files and run our search. We can see that there were 193,000 files downloaded in the past hour. Now from here once we have our surge it’s easy to pivot using the event data. In this case we’re going to build on our search, class=bro_files. We’re going to pivot to the source IP address. We come down here and find the source IP. When I left click I have a series of options. I can “groupby”. I can add to a current search or I create a new search altogether. In this case I want to add this to the current search. So I’m going to add this particular source IP address to the current search and you can see that at appends the existing search that I had already entered. Click search and that’s going to give us the results. And then finally if I come down here and find the MD5 maybe I want to group this by the MD5 hashes that are associated with that single IP address I can choose the ‘groupby” field and pivot to the “groupby” field. Click search and this will give me all of the files downloaded by that IP address and it’s going to group them by their MD5. And over here we can see all of the MD5’s that were downloaded by that IP address. That does it for this video Building Basic Searches and Pivoting. Now you have the tools to begin hunting for malware in your network. Please watch for more tips and tricks videos from FireEye.

Scroll to Top