Logs inform investigations... but how?

Hi there. I’m looking for a good way to perform a Log Search for a file name, or file path, or cmd_line input statement. An example: InsightIDR creates an investigation, and the cmd_line entry tells me what was executed, and the file path shows where it resided at execution. I would like to look for any of these things in the Log Search, but I haven’t found that magic yet.

If I must become one to search for “exact quote” items, I’d like to hear that if possible. Thanks!

if these logs are in log search you should be able to specify the key value pair after selecting the log set these logs belong to.

Have you checked out our Log Search docs or the “Example Queries” within the tool itself on the Log Search page?

@egeater

There are many ways this can be achieved, either with LEQL or regex. If you are able to post a safe log line for what you are looking for I’d be more than happy to build a query for you to have and use for other instances.

John, thanks for your response! I did look at the link, thank you, but I may be too new to understand what it is showing. See my response to Stephen below for a more specific context.

@egeater,

I can’t seem to find any reply, but would love to help get this working with you.

(Sorry, Stephen, I was still composing this reply. Thanks for being observant!)

My example is a Malicious Hash on Asset Investigation.

The suspect file has a name of TungstenSprocket.exe (fictitious, naturally), and there’s a “SHA256” hash, a “CMD_LINE” which shows what was entered to run the program, and the name of the “PARENT_PROCESS” which inputted the command line. There’s also a PID and PROCESS – and much more than that, of course – but these three things will be sufficient for this discussion.

I would like to make a LEQL query (on all available logs, by the way!) which should show how often the suspicious SHA256 hash has been detected due to TungstenSprocket.exe. I realize this is an incredibly narrow search, so it’s not a surprise if nothing is found.

But if I create a LEQL query on all available logs for, say, the PROCESS_ID, or PID, or FILE_NAME, or FILE_PATH, I still don’t receive a result. It’s a surprise to not find a complete file path or file name.

I’m not an expert at RegEx, so I like to provide the entire path instead of attempting to use RegEx wild cards.

So my scope is kind of wide.

  • It would be helpful to know which log produced an investigation, so that I’m correctly choosing that log in future searches. Does an investigation say which log created it?

  • I don’t know if I’m using the correct key terms! The Investigation Agent Data refers to a “PID”, but should I be querying for “PID”, or “PROCESS_ID”, or “PROCESS_START_EVENT”?

Does any of this make sense? I hope so!

Thanks for your review,
Eric

So that investigation specifically is triggered by the InsightAgent as it is the piece in the puzzle that monitors process start/stops. Anyone that has the agent will have these alerts trigger. However, only if you purchase EET (Enhanced Endpoint Telemetry) will you actually see these logs in Log Search.

The reason you may be getting no results elsewhere when creating a search is that the key names are not normalized to the same names or nesting within the JSON as it is from the payload of the agent.

I think what @SDavis was referring to when he said use regex was to simply search for the phrase without specifying a key name. So instead you just wrap the whole SHA value in forward slashes like so:

/this is my hash value/

This way log search will look for any instance of that hash without needing to worry about what key it belongs to, so you don’t need to worry if it was PID, process_id, etc

Hi Eric,

For process start logs, you can see the schema as presented in log search here - Enhanced Endpoint Telemetry | InsightIDR Documentation

If your currently not seeing any process start logs (under the endpoint activity log set), it may be because EET add on was not included for the account. We do have good news on that front though as we are gradually rolling out these logs with a limited search retention period of previous 7 days for IDR Advanced customers. You can expect to see this change in the new year.

The schemas for other event types are available here - https://docs.rapid7.com/insightidr/event-type-keys#log-search-and-detection-based-event-types