(George Sandford speaking) Hello, everyone. Welcome and thank you for joining today’s webinar FireEye Helix Explained Dashboards and Reports. My name is George Sandford, Senior Manager and Customer Success here at FireEye and I’ll be your host. Today we’ll be doing a deep dive on dashboards and recording. Let’s start by introducing our expert presenters. Sarah Cox is an instructor and curriculum developer at FireEye. Joining Sarah today is John Dianni. John is a Denver based staff technical instructor and SME at FireEye. Today John and Sarah will highlight specific functionalities within our FireEye Helix platform to boost the effectiveness of your SOC. (Sarah Cox speaking) Thanks, George. So, I’m showing the overview here on this slide. We’ll start with a quick overview of the Helix platform. But our main focus is going to be talking about using dashboards. We’ll show the built-in dashboards provided by the platform and then show you how to leverage the custom dashboards to build content that’s going to be specifically applicable in your organization. And we’ll provide some examples of compliance scenarios and hunting dashboards that you can build to get you some ideas of how you might be able to leverage the features. We’ll cover turning those dashboards into a report. So, to start with just going to do a high level introduction to the Helix Platform. You can read our mission statement here. But, I want to just point out that what we really have highlighted here as our most important values are the innovative technology and expertise that we have poured our hearts and souls into the platform. So Helix is a security platform that provides SIM and orchestration and intelligence capabilities. And we have built this tool based on our experience in the field for practitioners. And we’ve built it as a tool for practitioners so that we can provide our intelligence expertise and give people using the platform the tools to respond to that and build context effectively. So, as I said, Helix provides SIM capability and obviously as a pinnacle in our FireEye ecosystem, our other products integrate smoothly into Helix. And so with detection from the network, vector or email or endpoint, those integrate smoothly. And Helix gives you a single pane of glass to see those alerts. But more than that to take that alerting information and then do running searches and queries to build context for those alerts. And another really important piece that is important to understand about Helix and that will be leveraging today through our examples is the integrations that you can do with Helix either from cloud data sources or log data coming on premise through your network sensors. And by bringing all of that together in Helix we want to have a tool that allows security practitioners to do their jobs effectively. So, before we dive into dashboards and reporting we’re going to talk a little bit about some of the background information that makes it more easy for you to build dashboards and create custom reports effectively. On the left we have MQL here. If you are not very familiar with using the platform, I highly recommend you guys check that out. Getting some facility with understanding how to write queries and run searches will help you effectively build dashboards and reporting. We’re going to give you some examples today so you should be able to take those and leverage those. But of course just getting more experience with the platform will help you do your job in the platform a little bit more easily. The other really important piece is understanding the data that you have available in Helix. With the data that you have powering Helix that is going to allow you to effectively build the custom dashboard reports that you need to have for your day to day operations. So we have here just an example of some of the types of data we have in our training environments and we’ll show some examples going through that. So with that background we want to dive into talking about Helix dashboards. So, today we’re focusing on dashboards and reporting and those two are really inextricably linked. So FireEye Helix dashboards provide an overview of the current status in your environment. We provide several built-In dashboards that you can leverage based on your job role to focus on the data of interest. So we have a summary dashboard and John in a minute here will take you through these to see them live in the environments. So we have summary dashboard to show kind of various aspects of the alerting and detection and functionality. And then we have other dashboards focused for different job roles like system administrators or analyst roles. So I’m going to hand it over to John to take you through those and then we’ll come back to talking about custom dashboards. (John Dianni speaking) Alright… Thanks Sarah. So, I am going to take you over through the built in dashboard that FireEye provides to you so that you can get an idea of what’s going on in your environment. First dashboard if you accessed Helix before you’re probably a little familiar with at least is the summary dashboard that gives you an overview of what is going on alerting wise within the environment. So, at the top you’re going to see your recent alerts and the risk that’s associated with them. Your alerting is going to be generated by these types of events that you have feeding into Helix and whatever logic that you’ve created or whatever rules that you’ve enabled provided by FireEye in order to provide that alerting functionality there. So this is giving you an overview there of your recent alerts. You have a graph that’s showing the recent alerts on the right hand side as well. And then as you see down here we have an overall risk score we saw a huge spike on the eleventh. This is all based off of our new entity based tagging that we’re doing based off of assets that you have in your environment. What behaviors are normally seen as being anomalous or possibly suspicious in your environment. A risk will be assigned to it and it will be shown in the overall risk score down here. And then we also have the split out by the entities that are showing the riskiest behavior as well. So you can see we have a lot of risky activity in our environment. And then you have your cases. So all of your events and your alerts can be made into a case to help collect all of your log sources to continue your investigation. So as you’re building your case out anything that is open or uncontained would be shown in this window. So you can get an idea of how many things you guys are still working on your team still working on. Then you have the case metrics on the right hand side showing you how many open cases there are and how many of them are labeled as critical. In your indexed events, the thing you’re going to look for here is any large spikes or dips in the traffic that’s coming in that could indicate you have a network connectivity issue or possibly just there are sensors down. So down here we actually see we’ve had a couple dips in our environment showing that we’ve had a couple of sensors that have gone down. And that’s why actually if we’re looking at our event classes here we normally have a whole lot more of that in here but we’re looking at about half of them at the moment. So this is showing from the past 24 hours. When we say event classes think of those as a different log sources that you’re feeding into Helix. So all of your different event classes are shown at the bottom. And a lot of times this is a really good place to go to start. If you want to start a hunting mission looking at what data sources are available to you is going to make a difference in how you decide to try and hunt in your environment because if you’re looking for one of those event logs to try and identify certain types of activity and you don’t have one Windows event logs in your environment that’s not going to be useful to you. Alright, so that is the summary dashboard. That’s what you’ll see when you first log in. We’re not going to go over custom at the moment because we’re going to be covering that a little bit later. We’re actually going to build out a custom dashboard. But, we’re going to next step over to the operational dashboard. So, at the top, this is more of a system administrator type of dashboard that we’re looking at here. At the top you’re going to see the system help of your FireEye appliances. So as you see here we have an NX that’s connected, an Endpoint Security device that’s connected, a CMS device as well as an Email appliance is connected. So, the top system health is really only about your FireEye systems, the FireEye ecosystem really that you have connecting to your Helix. Then you have your current EPS that’s shown down here. And really what you’re looking for here is just that you’re not getting too close to your threshold at the top that’s what your subscription is. Whatever you’ve gone through with the purchase process that would be how much EPS you have allotted to you.
And then down at the bottom you see sensors needing attention. So when we’re talking about the sensors we’re talking about what we call evidence collectors which is pulling in the log sources from other appliances that you have in your environment that you want to be able to triage inside the Helix console. So, if you’re having issues with one of your sensors reporting in they’ll show up down here. Next we’re going to go to the detection dashboard so likely as an analyst this would be where you would log into soon after looking at the summary to see what open alerts you have available. If you do have alerts assigned to you a lot of times you might have a 24 hour operation and you’ll be doing a turn over. And you know me, as John Dianni, I would assign an alert to the incoming team, one of the individuals from the incoming team, in order to continue that investigation. Or you can assign it to yourself as well. So, that’s one way that you can start your workflow for the day. Then you have your open cases shown down here. And if you do have a case that you’ve been working on that either you assign to yourself or someone on your team is assigned to you they’ll also show up here so you can continue your investigation right from where you left off the previous day. And then if there are any unassigned alerts this is also a really good place to go and start. You know if you’re maybe the SOC lead or something and you want to look at all the alerts that you have in your environment and start assigning to different individuals the alerts or if you’re just looking, you know, if you don’t have anything, like me, I don’t have any alerts assigned to me. I want to look for something to start investigating. This is a really good place to go because you’re alerting is based off of the logic that’s being applied to the events that are arriving inside of Helix. So, it gives you an idea of what you should be looking at.
And then reporting, as Sarah said, the dashboards and reporting are linked together so as you create dashboards and you want to have a specific report that’s generated daily, weekly, monthly you come to this screen to report, to create that. And then if you go into this little gear button here you’ll notice you can subscribe to any of the reports that are made public by any of your other teammates or if you’ve created one and you wanted to subscribe to it so that you get an email on in that time frame, the daily timeframe or weekly time frame that you want to see that. And that’s it for dashboards for me. For now I’m going to hand you guys back over to Sarah so she can continue talking about dashboards. (Sarah Cox speaking) Thanks, John. We want to spend the rest of our time talking about custom dashboards. So with Helix you have the power to build custom dashboards and custom dashboards are essentially a group of queries. And when you load the dashboard it dynamically executes those queries. And so you’re getting a snapshot in time when you open the dashboard of what the data in your environment looks like. But beyond searching, and we showed the MQL searches that make up these queries earlier, with dashboards you can visualize the data. And so we have a sample dashboard here of Office 365, an executive summary. And so we’re running queries to identify the data and then applying visualization so that we can get a concise idea of what’s happening at the top. We see a histogram which is event flow over time so we can see kind of a general increase in an area and that might align with expected activity or that might be something we want to investigate by reviewing this. We also see some pie charts here. I see it’s a little small and we’ll go into some hands on examples where we can see that better. You can also create tables and bar charts where your graphing other values other than just time. And so dashboards are a collection of queries. You can have up to five widgets or queries on your dashboard. And that limit is really designed for you to craft your dashboard in a way where you’re making the queries that matter. And when you load it you can take in the data and see what you want to see in your environment. So the really good news about dashboards for those of you that are new to the product is FireEye provides several template dashboards. So for example this Office 365 summary is a sample that we provide. You need to do a little customization but this would be something that would be available in your environment to you right now if you have that data in we’ll show you how to customize it.
So you can definitely create a custom dashboard from scratch. So, from the dashboards page that John showed previously there’s a button to create the dashboard. You get a pop up. The UI is very streamlined and easy to follow to guide you to creating a dashboard. And John will take you through an example of creating one from scratch. I want to show you also a way that you can leverage some of the provided dashboards that we have or dashboard templates. So, we saw the Office 365 example earlier. Here’s another one for compliance. So this compliance dashboard is set up for item 10.2.1. It’s focused on Microsoft Windows as a data source. And so this has been set up to show logins by hostname, logins by username, by method and by timestamp. And again if you have this Windows event data flowing into your environment it’s very easy and straightforward for you to leverage this dashboard. And we have similar dashboards for other data sources tracking logins for important devices. So, to use a template dashboard you can see here this is your view of the dashboard if you were to go in and search for this dashboard you can search on the compliance tag or the PCI tag to identify it. And if you were to open this dashboard in your environment your view would look like what we’re seeing here because it wouldn’t be pulling any data. Helix doesn’t yet know which systems are the ones of interest for you to see. But, you can grab this template dashboard, click on the gear icon in the top right corner and clone it. And once you clone it you can make modifications. Now the really good news for these compliance dashboards is that the modifications are really straightforward. So, we have a highlighted area of the screen that shows one of the queries that is part of this dashboard. It’s looking for Windows events for specific event IDs. And those IDs don’t change, you know, generally with a new release we might add them but you don’t need to modify those event IDs. The only piece that you need to modify is if we observe the hostname for the search is looking for this item, $cde_hostnames. That dollar sign is an indication that that’s a list in Helix. And so if we have a list named, ‘cde_hostnames’ and have items on that list then our dashboard will will be functioning just as we would like to do. So, if you have the Windows data flowing into your environment you create the list and you are good to go. Just like creating dashboards, creating the list in the UI is very straightforward from the Configure menu which is marked at the top here. You can click on configure in the list and then create a list. And it just needs to have the same list name that’s used in the query we saw on the last page, cde_hostnames and once we add host names to that list that dashboard is going to be working beautifully for us. So, when I introduced Dashboard’s I mentioned that when you load the dashboard it executes those queries at the point in time when you load it and that can be useful for different types of activities for something like compliance, what you really want to be able to do is generate this data regularly and have it stay static once you’ve collected it. And so the way that you do that in Helix is you’re going to generate a report from the dashboard that you own. So using that gear icon again in the top right corner we can click on it and we can either generate a single report towards the bottom of the menu or create a report schedule and have that dashboard data collected in report form at a regular interval. One other thing I want to mention just about compliance dashboards, in the attachments and links section, we have a link to our compliance guide for Helix and that is going to give you a list of all of the compliance dashboards that you can leverage or in the platform on the custom dashboards page you can just search the compliance tags to see what dashboards are available that you might want to leverage in your own environment. So, getting back to the report scheduling, once we click on report schedule we’re going to get a pop up.
That we can complete to indicate the schedule that we want to run this on so we can choose the interview you know daily weekly monthly set a time of day to run and then add subscribers. In this example we’ve set up a subscriber training at FireEye.com. This is from our training lab environment. And so that subscriber is not a Helix user and so I’ve selected the option to save the report as a PDF and email it with that attachment so I can send a PDF of the report to users that are not Helix users which is really handy. I can also add subscribers that are Helix users and those users can either receive the PDF attachment or log on to the platform to view depending on how you’ve configured your report.
Once your reports are running and collecting data on that dashboards menu, you can view the reports you’ve collected and they’re all listed there on the reports dashboard. And then from the gear icon you can choose to view those results in this example that we’ve collected here. That report has run a few times. And so we can go back and look at any of the data that we’ve collected.
If for some reason you wanted to unsubscribe from that report you could do that from that gear icon as well.
So again all of the functionality in the UI to create dashboards schedule them as reports is very user friendly and the the UI really guides you through it, the maybe potentially more challenging piece of creating dashboards and reports is identifying what would be the most valuable for you to use for that. In a moment I’m going to hand you to John to talk you through an example of how you might develop a dashboard and kind of the methodology of thinking about it. One last thing I want to mention on dashboards and reporting. Obviously, through all these slides and demos you’ve seen the dark theme that we have in our Helix UI. If you print a dashboard you’ll have the, you’ll see the option to print it with a light view. And so you do get that more readable version for offline consumption.
So, I think that’s all I have for the nuts and bolts. So, I’m going to now hand it back to John to go back into the UI and give a hands on example of building a dashboard. (John Dianni speaking) Thanks, Sarah.
So, this is the final product of what we’re going to be building here in a second. We’re not going to talk through the logic behind how we decided what RDP usage to include in our dashboard but we are providing that to you in our attachments. So, we show you kind of a stepped process of how we decided on what types of events to include. But for now we’re going to focus more on the mechanics of actually building out a dashboard. So, I’m going to come into my custom dashboard screen here and I’m just going to click on the ‘create a dashboard’. I have all of this written out. You can add in whatever tag you want to look at so I’m going to put it in ‘lateral movement’.
I’m going to add in, we’re going to be using windows event logs for this so we’ll do Windows event logs… there and I will leave it at that for now but, so, I’m naming it number 2 because we already have an RDP usage review that we created that just showed you. So we’re going to create this dashboard. And you see there’s no widgets here. It’s empty. So the widgets are going to be the icons that you see on the screen with the queries providing the data that you’re looking at. So, the first thing you’ll do is start to create a widget. We’re going to create first the RDP usage. So we’re just going to collect a bunch of different RDP Windows event logs and then put it up here, thats why you see the number there, so RDP usage…for this one we’re actually going to do it as a histogram, so when you’re creating a histogram you actually have to choose the bar chart first and then you’ll put the histogram piece actually inside of your query. So, the way we’re going to do that is right here.
We’ll put in…so we’re looking at the Windows event logs that are associated with RDP and then we’ve gone through the MQL you’d know that anything after this pipe here is considered a transform. So, it’s how the data is going to be presented to you. So, here we’re showing that we want to look at it in a histogram format and we want it to be showing the timestamp and by hours. So, we’re going to put the time window, we’re going to extend this out to actually a week there. You control how large it is by the width here. So, you can see if you went down to 50 reduce it to 50 there. We’re going to keep this one at a hundred though because we want to see the histogram going across the screen. So, let’s save that off and there we go. There’s a first widget. Our second widget we’re going to add here is going to be just we want to see all the RDP, you know what source IPs we’re seeing it come from. So we’re going to do, we’re going to title it ‘RDP by source IP’. And this one we’re going to keep just the table view for this one and then inside of our query, we’re going to look at the Windows event logs again. Most of the same events being shown there we actually took one out and we’re just removing the source IPv4 right now the 1270.0. 1 which could be indicative actually of other RDP tunneling. But we’re just removing it out of this because it’s not useful for a follow on investigation at this moment. So, we removed that for the moment. And we’re going to pipe and we’re going to group by the source IPv4. Again we’re going to go back a week for this report. We’re going to say 10 results, but for this one we’re actually going to do it at a quarter so we’re going to line these up along the bottom of the histogram at the end here. I’ll show you how to move things around. That’s our all ‘RDP by the source IP. So, we have taken out the 4624 Type 10. We wanted to isolate that. So we’re going to add that back in here to the next widget.
This one we’re going to look at in a pie view because I find that to be pretty useful for this. We’re going to go back a week. Again 10 results and we’re going to make it 25. And.
..oh we got a query in there.
So the only thing we’re going to be looking for here is going to be Windows event, we wanted to make sure that there is a source IP inside the event data there. And then we’re going to be looking for the log on type 10 which has to do with RDP and we’re going to group it by the source IP and we want to see what log on id is associated with it. Possibly there is a system with multiple log on ids that are doing some RDP on there. So we want to see what users are actually doing that. Alright, so our next widget is going to be looking at the log on ids, you just want to try to track all the log on ideas that we’re seeing performing RDPs, so.
Isolate that, again we’re going to do a pie for this. Inside of the query we’re going to go back a full week. And 10 entrees, 25…
And there we go. So we’re looking at 4624 events as well as the 4778. And actually this is supposed to be 4779.
And the last one we’re going to do we’re going to look at all the reconnections because with RDP, if you don’t close your session correctly other users can come in and log in. So we want to see you know is it the actual user that we’re expecting to log back in and who’s actually leaving these connections open. Because we might want to have to talk to them. So we’re going to put reconnections in here. The logic that we’re going to look at is going to be the Windows event ids again. So we’re relying heavily on these Windows event ids for this dashboard. Looking for the source IP. We’re going to look at the event ids around the reconnections which is 25 and 4778. And we’re going to group it by the source IP, the timestamp and the logon ID. And then we’re going to also add in, actually that’s not supposed to be there… its just that… group id, the source IP, timestamp and the log on id there.
Go by week. Again go 10 and 25. Save that off.
What we’re left with is all the data that we wanted but notice we’re kind of backwards from the way we’re set up in the example I showed you. So it’s really easy to move these widgets around. You just kind of move it up to the top here. That’s the first one we want to see.
There we go. Do that and I want to see this RDP source IP at the beginning… there and we can leave the rest where they are and I’m going to give you to George to close us out. (George Sandord speaking) Excellent. Thank you John. Thank you, Sarah. Some great insights. And I’m sure our audience has benefited from many of the takeaways to provide max visibility and efficiency in their SOC. We did get a bunch of great questions. With that, I’d like to welcome the rest of our panel, Mike Kizerian and Luke Clemente, who will join John and Sara and myself for the Q&A. Our first question; Is there a guide for the syntax of the MQL statements we need to make the dashboards?” (Luke Clemente speaking) Yes, Luke Clemente here. So, in your Helix instance if you click on, if you’re just inside Helix and inside the query search dashboard, they’re up at the top right, they’re in blue…syntax help. And that will actually take you directly to a guide and for some MQL syntax help there.
(George Sandford speaking) Alright, outstanding. Yeah I know there are some some examples, one of the other things that you can do is if you look at some of the preexisting dashboards or some of the preexisting rules you’ll be able to see some good examples of efficient MQL, just kind of a pro-tip there. Sarah, I think this one might be prime for you, Will reports be empty until we have custom dashboards? (Sarah Cox speaking) So, the dashboards, we have pre-populated dashboards, but we don’t have the pre-generated reports so it will be the step will be for you to take those dashboards and then if you’re launching a dashboard and it is empty, what you want to do is take a look at the queries and confirm that you have the data sources. And so you can see the event classes which are basically our log sources. And you can compare that to what’s on your summary dashboard for data that has come in. So if you have the data then the other piece you want to look at is to see if it’s using a list or something that maybe you haven’t yet built. And the list you’ll see the dollar sign preceding a list and that’s how you would know. (George Sandford speaking) Excellent. So, we did get a good question on, Can you turn a dashboard search into a rule?” (Luke Clemente speaking) Absolutely, definitely test it out so once you test out your query and you start to pull back the information you want to pull back and then you create a dashboard with it just make sure that when you’re running that query that you’re getting back the information that you want for sure or that you’re not getting information back yet. You know for instance if you’re running a query to see if you’re getting any RDP sessions from outside in right from outside your network to inside your network if you are getting some of those that might be something to look into. But first of all you probably don’t, you probably aren’t going to see any of those. So if you create a rule for that and you’d run the query and you’re not getting any events for that. That’s good. But you can create a rule based off that. (George Sandford speaking) Thank you, Luke. And we’ll go with one last before we wrap up, “Do dashboard reports include drill down capabilities?” (Luke Clemente speaking) I can take that one as well. So. In an automated way, no. I’ll answer that in an automated way, no… but yeah John if you want to go to one of your dashboards there. But any of these widgets you’ll see they have these little blue search icons on all the queries. So if you’re seeing some information in one of those widgets that you’re like “Hey that looks funny or that looks off”, click any of those and it’ll actually run that query for you the exact query that’s in that widget. And then from here is where you drill down. So if you were looking for a specific process or a specific event ID you know you could drill down on that specific event ID or that specific host for that matter. So, that’s how you would drill down into it. You just have to do some manual hunting there. We don’t have any automated ways yet but you do have the ability to hunt and drill down based off that widget that you’re looking at. (George Sandford speaking) Appreciate that. Thanks for joining us.
This webinar was recorded on May 19, 2020.
Experts from FireEye Education Services detail the ins-and-outs of dashboards and reporting in FireEye Helix.
- Best practices and common use cases for Helix to boost the effectiveness of your security operations
- Essential Helix features that improve visibility across your security operations platform
- Guidance on creating custom dashboards to visualize your most important data
- Options to use FireEye preconfigured custom dashboards to simplify the collection and visualization of compliance data
- Ways to schedule reports and manage report subscriptions
- A demonstration of Helix dashboards and reports
The webinar is followed by an in-depth Q&A session.