Hi there. I’m looking for a good way to perform a Log Search for a file name, or file path, or cmd_line input statement. An example: InsightIDR creates an investigation, and the cmd_line entry tells me what was executed, and the file path shows where it resided at execution. I would like to look for any of these things in the Log Search, but I haven’t found that magic yet.
If I must become one to search for “exact quote” items, I’d like to hear that if possible. Thanks!
There are many ways this can be achieved, either with LEQL or regex. If you are able to post a safe log line for what you are looking for I’d be more than happy to build a query for you to have and use for other instances.
John, thanks for your response! I did look at the link, thank you, but I may be too new to understand what it is showing. See my response to Stephen below for a more specific context.
(Sorry, Stephen, I was still composing this reply. Thanks for being observant!)
My example is a Malicious Hash on Asset Investigation.
The suspect file has a name of TungstenSprocket.exe (fictitious, naturally), and there’s a “SHA256” hash, a “CMD_LINE” which shows what was entered to run the program, and the name of the “PARENT_PROCESS” which inputted the command line. There’s also a PID and PROCESS – and much more than that, of course – but these three things will be sufficient for this discussion.
I would like to make a LEQL query (on all available logs, by the way!) which should show how often the suspicious SHA256 hash has been detected due to TungstenSprocket.exe. I realize this is an incredibly narrow search, so it’s not a surprise if nothing is found.
But if I create a LEQL query on all available logs for, say, the PROCESS_ID, or PID, or FILE_NAME, or FILE_PATH, I still don’t receive a result. It’s a surprise to not find a complete file path or file name.
I’m not an expert at RegEx, so I like to provide the entire path instead of attempting to use RegEx wild cards.
So my scope is kind of wide.
It would be helpful to know which log produced an investigation, so that I’m correctly choosing that log in future searches. Does an investigation say which log created it?
I don’t know if I’m using the correct key terms! The Investigation Agent Data refers to a “PID”, but should I be querying for “PID”, or “PROCESS_ID”, or “PROCESS_START_EVENT”?
So that investigation specifically is triggered by the InsightAgent as it is the piece in the puzzle that monitors process start/stops. Anyone that has the agent will have these alerts trigger. However, only if you purchase EET (Enhanced Endpoint Telemetry) will you actually see these logs in Log Search.
The reason you may be getting no results elsewhere when creating a search is that the key names are not normalized to the same names or nesting within the JSON as it is from the payload of the agent.
I think what @SDavis was referring to when he said use regex was to simply search for the phrase without specifying a key name. So instead you just wrap the whole SHA value in forward slashes like so:
/this is my hash value/
This way log search will look for any instance of that hash without needing to worry about what key it belongs to, so you don’t need to worry if it was PID, process_id, etc
If your currently not seeing any process start logs (under the endpoint activity log set), it may be because EET add on was not included for the account. We do have good news on that front though as we are gradually rolling out these logs with a limited search retention period of previous 7 days for IDR Advanced customers. You can expect to see this change in the new year.