In this installment of the Tips and Insights series, Nate Hancock uses FireEye Helix to share some valuable MQL malware searches such as com broker, cloud collector or a ‘groupby’ search to find event data.
Hi my name is Nate Hancock with FireEye Customer Support and this video is Valuable MQL Searches. This video will introduce you to some searches that I find useful for searching for malware. One of the most valuable MQL searches that I’ve found and a good place to start when we’re looking for any type of event data really is a search that I call “groupby class”. One important note for the “groupby class” is there has to be a space between the pipe and the g in “groupby”. And when using this when it’s good to limit the time in this case I’m limiting it to the past hour. Because this is going to show us all of the event data. So in this case all of the event data for the past hour. We can see with the “groupby class” even just for the past hour 775,000 events. So there’s quite a large search. All of them are grouped by class and if we look down here we can see all of the different event classes that we’ve received in the past hour. Another valuable search and very similar to this one is looking for event data from a specific com broker or cloud collector. To do this we’re going to look it up by the com broker ID “has=class” and that’s a that’s a very another very vast search “has= class” so we’re going to add a modifier to limit the scope.
So this is going to show us all of the event data for the past hour. And it’s going to break it down based on the meta cbid. The cbid is the com broker ID. So this is all of the event data for the past hour, 851,000 events. And we can see the individual com broker IDs that have sent event data to this Helix instance. The next example I’d like to demonstrate is how to view all of the ICMP traffic on a network. To start with, we’re going to need to view all of the connection data. So to do that we’re going to use bro conn. And it’s very important to use a colon, class:bro_conn as opposed to a class=bro_conn for the search MQL. The next thing we’re going to do is add the protocol. And we want to group this by class. So this is going to give us all of the connection data with this bro conn. It’s going to give us the ICMP protocol and group all of that by class and in this case the class is bro conn. This shows us all of the ICMP traffic on the network for the past hour and in this case there were 2.3 thousand events. And finally the last search I’d like to demonstrate today is how to show all files that have been received and how to group them by their MD5 hash. To do that again we’re going to look at that connection data in this case class=bro. But in this case we want to look at files. So we’re going to do bro_files and we’re going to group that by MD5. This is going to show us all the files that have been downloaded in the past hour grouped by their MD5 hash. Now we can see that there 73,000 events in the past hour. 73,000 different files that were downloaded and here we have them grouped by their MD5’s. So we can see all of the MD5’s that were downloaded, how many of them in the past hour. That does it for this video Valuable MQL Searches. Hopefully you find these suggested searches as valuable as I did. Please watch for more tips and tricks videos from FireEye. Happy hunting.