TAP User Guide FireEye, Inc. Next Generation Threat Protection 1440 McCarthy Blvd., Milpitas, CA 95035 www.FireEye.com © 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. Document version: v1.0A Contents Contents i TAP Overview iii Events iii Intelligence iv TAP Architecture v Dashboard vi Search vii Run a Search vii Quick Mode vii Date Range vii History viii Favorites viii Lists viii Create, Update, Export Lists viii Import Lists ix Search Results ix Pivoting ix MQL Syntax 1 Search Clauses 1 Quotes 1 Numbers 2 Date and Time 2 Set Notation 3 Boolean Operators 3 Comparison Operators 4 Parenthetical Expressions 4 Prefix Search 4 Subsearch and Variable Expansion 5 Subsearch 5 Subearch with Variable Expansion 5 Variable Expansion 6 Regular Expressions 6 FireEye, Inc. i TAP User Guide Filters 7 Directives 8 Transforms 8 Groupby 8 Histogram 9 Taxonomy 9 Meta-Classes and Classes 10 Fields 10 Aliases 11 IP, SRCIP, DSTIP 11 Host 12 ID 13 MAC 14 Port 14 Interface 15 Hash 15 Intel Hit Searches 15 Rules 17 Rule Packs 17 View Rules 18 Enable and Disable Rules 18 Create User-Defined Rules 18 Update User-Defined Rules 19 Delete Rules 19 Import and Export Rules 19 Alerts 20 Suppress Alerts 20 Add Alerts to Incidents 20 Incidents 21 Create New Incident 21 Add Events to Existing Incident 22 Assign Incident and Investigate 22 View Alert Details 22 FireEye, Inc. ii TAP User Guide TAP Overview The FireEyeThreat Analytics Platform (TAP) is a security incident detection and resolution tracking platform that identifies cyber threats and improves response by layering enterprise-generated event data with real-time threat intelligence from FireEye. TAP Overview TAP is a cloud-based application that: l l l l l l Collects and indexes database, security, network, and endpoint events from your environment Compares indicators in your events in real-time against FireEye intelligence and generates alerts on hits Applies both FireEye-defined rules and rules that you define to event data to generate alerts Provides an incident workflow for tracking both events associated with alerts and any events that you deem suspicious from investigation to remediation Makes events available for efficient searching and pivoting Provides visualizations of trending activity Events An event is any observable occurrence. Logging is the process of recording events to provide an audit trail that can be used to understand the activity of a system. In the context of TAP, event refers to a specific log entry. FireEye, Inc. iii TAP User Guide Each event found within log data in TAP is assigned a uniqueID as it enters the TAP application in the Comm Broker Sender within your environment. Log data from each device is run through a parser if one is available. Parsers separate the data in events into fields and label though fields according to the taxonomy. The taxonomy names and defines types of data that appear in events. After being parsed, each event then has two parts: parsed fields and the raw message. Parsed fields have the following advantages: l l l Can be searched using MQL syntax Have pivoting capability when the event appears in search results Provide more accurate data for matching against intelligence indicators If an event is not parsed, the raw message is still indexed and can be searched as a string. TAP still attempts to match the raw message against intelligence indicators but more false positive hits may result. When an event matches intelligence, TAP generates a synthetic event for that intel hit. Having a synthetic event allows you to search more effectively for intel hits. Intelligence TAP applies FireEye Intelligence to events once in real-time as they are received. TAP checks parsed fields in events and unparsed, raw messages for fully qualified domains (FQDNs) and IPs that we believe are indicators of a compromise. When a match is found, TAP generates an intel hit (along with a synthetic event) and an alert. Intel hits based on matches of just raw data in an event are more likely to be false positive hits than matches on parsed fields. Intelligence indicators are updated hourly. FireEye intelligence is gained from our extensive incident response work as well as research by our experts and includes these two types: l l Commodity. Commodity intel is generated from analysis of over 1 million malware samples per day. By denoting these samples and analyzing them, we generate 10,000 indicators per day. Our expert intel team reviews matches from customer environments to these indicators to help ensure that only valid intel hits are sent to your TAP instance. Curated. Curated intel is generated from FireEye research; we closely track threat families and Advanced Persistent Threats (APT) groups. From this research, we compile malicious indicators and TAP looks for those indicators in your events. This type of intel generally generates fewer hits but the hits that occur indicate high risk compromises. When TAP is configured for your environment, the TAP operations team notes your external IPs. If FireEye finds any of these IPs sending data to a known sinkhole (i.e., a known evil command and control server), TAP alerts you. FireEye, Inc. iv TAP User Guide TAP Architecture Your TAP instance resides in two environments: your environment and a Virtual Private Cloud (VPC) within Amazon World Servies (AWS). Within your environment is one or more Communication Broker Senders that send log data to a Communications Broker Receiver within TAP in the VPC. The Comm Broker Receiver and all other TAP components within the VPC are managed by the TAP Operations Team. TAP High-Level Architecture The data flow is as follows: l l l l The Comm Broker sender listens receives log data in your environment and sends it to the Comm Broker Receiver in the VPC. For security purposes, all data in transit, including all metadata, is encrypted with Twofish with a 256-bit key. When data is transmitted over the WAN to the Communication Broker Receiver, it is double-encrypted with two layers of Twofish and 512 bits of key total. The Communication Broker Sender/Receiver combination never stores any customer data in clear text. Log data is parsed according to the TAP taxonomy and then indexed to make it available for fast searches and pivoting. Log data that cannot be parsed is still indexed as raw messages. Both FireEye-defined and customer defined rules are applied to the events and alerts generated if applicable. FireEye intelligence is also applied to all events in real-time and alerts generated for any hits. FireEye, Inc. v TAP User Guide Dashboard The TAP application is designed to be viewed in Chrome. The default page for the TAP application is the Dashboard page. The Dashboard page is designed to provide a broad overview of the current status of events, alerts, and incidents in TAP. If there is a current alert, a banner appears at the top of the Dashboard page to provide immediate pertinent information related to that alert and options for taking action with the alert. Depending on the data available in TAP, the Dashboard page shows: l l l Active alerts and a graphic showing the number of alerts per source (FireEyedefined rules, user-defined rules, or intel hits) Open incidents, including the total number as well as the average time to close Metrics about events such as the total number of events in the TAP index and the daily high and low number of events. FireEye, Inc. vi TAP User Guide Search TAP Search capability allows you to search events as both a starting point to find a potential compromise and to locate specific events associated with alerts. TAP can search billions of events in seconds. Events are available for searching for 4, 8, or 12 months depending on how your TAP instance was configured when it was deployed. The TAP search depends on the event as follows: l l For raw events, TAP is able to search for matching strings. For parsed events that are normalized according to the TAP taxonomy, TAP is able to search for common data all across all events from a variety of log sources. Run a Search Search capability is provided in TAP by entering a query written using Mandiant Query Language (MQL) and selecting a date range option and selecting Quick Mode if desired. TAP uses MQL as the syntax for constructing queries to search events. The complete MQL syntax is supported in the Search box the top of every TAP page. Once you have run one query, you use the pivot functionality to refine that query or create a new query. Quick Mode Quick Mode provides fast but partial search results when you run a query. To use Quick Mode, check the Quick Mode option on the Search bar. Quick Mode limits the number of results that TAP returns. The results returned are based on events found but do not represent all the events that match the query (i.e., the count is not accurate). Using Quick Mode, you can test whether a query will return results and if those results are what you expected. This is particularly useful when building complex queries. Date Range You can limit the query to a specific time period, by selecting one of the following options: l l l l l Past hour Past 12 hours Past 24 hours Past 7 days Last 30 days FireEye, Inc. vii TAP User Guide l l Past 90 days Custom range with a start and end date To select a date, click the calendar icon in the Search bar. The date that TAP uses to evaluate the query (and as the default order in search results) is the date and time that the event arrived into TAP. When the Comm Broker Sender receives log data from your environment, it adds the current time as a timestamp to the event. This timestamp, includes the date and time down to the millisecond. History TAP saves all the search queries run. This History is available on the Search page. To run a previous query, select it from the History menu or the Latest History box on the Search page. To clear the history, click Clear in the Latest History box on the Search page or select Clear History from the History menu on the Search page. Favorites A Favorite is a search query that you would like to save to run again. To add a query to Favorites, run the query in the Search bar then click Favorite. To run a Favorite query, select it from the Favorites menu or the Top Favorites box on the Search page. To delete a Favorite from the list, click the X icon next to the query on the Favorites menu or select Edit in the Top Favorites box. Lists Lists allow you to conduct searches for multiple items at one time (e.g., shared indicators, executive machine IPs). If you have many fields that you would like to include in one or more queries, you can create a list and use the list name in the query. The list name serves as a variable in the MQL syntax. Create, Update, Export Lists To create a new List, click Create New List on the Lists menu on the Search page. To edit an existing List, select the list name on the Lists menu on the Search page. On the Lists page, enter or update the following: l l l List name List description IPs and domains on separate lines in the Search for box. The limit is 100K per list. FireEye, Inc. viii TAP User Guide To export the list, click Export. Import Lists If you have existing lists of domain and IPs stored in .json format, you can upload those lists for use in TAP. To import list, select Import List from the Lists menu on the Search page. On the Import List window, select the file to import. Only .json is supported. Search Results The results for the query appear on the Search page as a list of events. Each event includes both the raw event data and the parsed fields, if applicable. Parsed fields have pivoting options. You can also visualize data results on a timeline. Click Timeline at the top of the search results. If you think results are missing, be sure that the search query was not run with Quick Mode selected. After selecting events, you can add them to an incident. After finding results, TAP has the following options to help you use the results more efficiently: l l l l l l Highlight. To see the fields that matched the search query, click Highlight. Geo. TAP uses data from the srcipv4 and dstipv4 fields in events to determine geographical IP. To display the geographical information for an event, such as the destination country, destination IP, or destination domain, click Geo. Meta. To see the meta-classes in the events, click Meta. Sort. By default, the events in the results are sorted by the newest first. You can reverse the order by selecting Oldest for the Sort option. The date that TAP uses is the date and time that the event arrived into TAP (which is also used in the query). Show and Select. By default, the search results list shows all the results. To view only specific events, select those events and choose Selected for the Show option. The Visible and None options for Select work also change the events displayed. View. You can opt to see all the results which may include both raw events and parsed events or you can opt to show just one or the other. Select an option for View. Pivoting Pivoting through data is how you add context to an event to determine what to do next. After completing a search, you may find data of interest in a parsed field in an event in the results and want to refine your search or run a new search for the same data in other events. FireEye, Inc. ix TAP User Guide When events appear in the search results, the parsed fields provide the following pivoting and drill-down options by clicking the down arrow next to the field in the event in the results on the Search page: l l l l l New search. To search for the same field and data in other events, select New search. A new query appears in the Search bar, which you can either run as is or modify. Add to current search. To add another field and data to the current query in the Search bar, click Add to current search. Exclude from search. To add a field and data to the current query as a “not” statement, click Exclude from search. Groupby field. To use a field and its data in a groupby clause in the current query, click Groupby field. Copy to clipboard. To copy the field and its data to the clipboard for use in another application or for your notes, click Copy to clipboard. FireEye, Inc. x TAP User Guide MQL Syntax TAP employs Mandiant Query Language (MQL) for constructing queries. MQL is a data analysis language that is used to retrieve events for further analysis in TAP. MQL supports three types of clauses in the search query: l l l Search, which includes: l Quotes l Numbers l Date and time l Set notation l Boolean operators l Comparison operators l Parenthetical expressions l Prefix search l Regular expressions l Variable expansion l Subsearch l Filters Directives Transforms, which include: l Groupby l Histograms MQL supports an unlimited nesting of queries; however performance may slow depending on result set. The fields available to include queries are based on the taxonomy. Those fields include classes and also alias options. All fields and values are lowercase. Search Clauses A search clause specifies the data to be located based on exact matches, comparisons, ranges, and expressions. Quotes Use “ “(double quotes) or ‘ ‘ (single quotes) to search for the following: l l A space or an exact string that includes a space, use Keywords such as “and” or “or”, use FireEye, Inc. 1 TAP User Guide To search for quotes, use the escape. For double quotes escape using the following: l \“ For single quote escape using the following: l \’ Numbers MQL syntax supports the following for numbers: l l l l Negative “-“ and positive “+” signs Exponent as ‘e’ or ‘E’ Fraction as ‘.’ digit Fraction exponent as ‘fracexp’ Date and Time To limit events return by the search to a specific range, MQL supports the keywords “start” and “end”. Time specified in the MQL syntax takes precedence over time specified in the Search bar in TAP. MQL supports dates as follows: l l l l l Calendar date with the date: “yyyymmdd” Calendar date with just the year and monthy: “yyyymm” Calendar date with the week: “yyyyww” or “yyyy-ww” Calendar date with the week and day: “yyyywwd” Ordinal date: “yyyy ordinalday” Where: l l l l l l yyyy is the year in 4-digit number format mm is the month in 2-digit number format dd is the date in 2-digit number format ww is the week in 2-digit number format ranging between 1 and 52 starting the first week of January d is the weekday in 1-digit number format ranging between 1 and 7 starting with Monday ordinalday is the day in 3-digit number format ranging between 1 and 366 starting on January 1 MQL support time as follows: l l Hours, minutes, and seconds: “hhmmss” Hours and minutes: “hhmm” or “hh:mm” Where: l l hh is the hour in 2-digit format mm is the minute in 2-digit format FireEye, Inc. 2 TAP User Guide l ss is the second in 2-digit format MQL syntax also supports relative time such as: l l l l yesterday today last with hour, day, week, month, or year X hours, days, weeks, months, or years ago where X is a number The time that MQL uses when evaluating queries with “start” and “end” is the time that the event arrived into TAP. When the Comm Broker Sender receives log data from your environment, it adds the current time as a timestamp to the event. This timestamp, includes the date and time down to the millisecond, is the time field used to evaluate the start and end keywords and is also the default order that search results are displayed on the Search page. To evaluate the query using time values located in another field, you must specify that field. Set Notation MQL syntax supports lists of comma separated values by placing the list between square brackets “[]”. For example: scrip:[192.68.1.1,192.68.1.2] Boolean Operators Boolean operators include “and” and “or” and “not”. By default, a space between query terms is the equivalent is considered an implicit “and” and the search will be inclusive of all terms specified. The order of precedence for “and” and “or” is: l l Explicit “and” (i.e., and is entered) is higher than “or” Implicit “and” (i.e., no “and” entered by just a space between terms) is lower than “or” The valid symbols for “and” are: l l and && The valid symbols for “or” are: l l or || (double bars) For example: http and tcp or ftp : (http and tcp) or ftp http tcp or ftp : http and (tcp or ftp) FireEye, Inc. 3 TAP User Guide The operator “not” binds to what is immediately after it. For example: not ftp The valid symbols for “not” are l l l NOT Not ! (exclamation point) (with no space afterwards) Comparison Operators To find data in a specific field, use the equal operator which is one of the following: l l = (equal sign) : (colon) Neither have spaces around them. The value specified after the operator must be valid for the field type. For example: scrip:192.168.1.1 scrip=192.168.1.1 In addition to equals, the following other operator values supported are: l l l l > < =< >= There are no spaces around the operators. Operator values are the tightest binding. For example: recvdpackets>20 ! recvdpackets<=20 Parenthetical Expressions Parenthesis can be used to group terms for precedence. Parenthesis are also used to designate subsearches. For example: tcp and (http or ftp) not (http and tcp or not ftp) Prefix Search Parenthesis can be used to group terms for precedence. Parenthesis are also used to designate subsearches. FireEye, Inc. 4 TAP User Guide For example: tcp and (http or ftp) not (http and tcp or not ftp) Subsearch and Variable Expansion Subsearch allows you to specify a query to run then use the results from that query in another query. Subsearch can be run by itself or with variable expansion. Variable expansion can also be run independently of subsearch. Subsearch Subsearch is supported using a parenthetical expression. For example: srcip:(rawmsg:Trojan) and hostname:important_machine In this example query, the search engine will first locate “Trojan” in all raw messages and return all the source IPs of those events. It will then search for events with one of those source IPs and the hostname “important_machine” and return those events. In this example if the subsearch (rawmsg:Trojan) would find 2 unique srcip addresses (172.15.1.10 & 175.15.1.20) then the full searches performed will be: srcip:172.15.1.10 and hostname:important_machine OR srcip:175.15.1.20 and hostname:important_machine You can also compare different variables to each other with the “in” operator to specify the field in the subsearch to be used in the comparison. For example: IOC dsthost:(srchost in fireeye eventlog:/.*back.*/) For this query, search first resolves the subsearch expression and returns the unique srchosts which it then uses to search the dsthost as search terms in the main query. This can be useful when the direction of the event is different (as with some of the events from other FireEye products) or when trying to look for callback activity from the original infection source. Subearch with Variable Expansion You can also use subsearch in combination with variable expansion. Variable expansion allows you to specify a list of pre-populated values and then use the results from that query in another query. For example: IOC (dsthost:$exec_pc) FireEye, Inc. 5 TAP User Guide For this query, search first resolves the subsearch expression by doing a search for all the dsthosts that match the list $exec_pc and returns the result to add them as search terms in the main query. In this example if the exec_pc list contains the hostnames execcto and execcfo, the following search would be executed: IOC dsthost:execcto OR IOC dsthost:execcfo Variable Expansion You can also use variable expansion outside of subsearches. The syntax is: field_name:$keyword For example: dsthost:$exec_pc In this example you would be executing the following search: dsthost:execcto OR dsthost:execcfo Which is the same as: dsthost:[execcto,execcfo] Regular Expressions The MQL syntax supports regular expressions. MQL regular expression patterns are always anchored (i.e., you do not need to specifically indicate whether the regex pattern starts at the beginning or end of the string). The pattern provided must match the entire string. The exception is the use of an asterisk (*) in a prefix search. For example, to match a user-agent field of “Mozilla/5.0”, the regular expression must be “User-agent=.*5\.0.*”; it will not match on “User-agent=5.0” or “User-agent=5\.0”. Any characters may be used, but certain characters are reserved and must be escaped. The reserved characters are: . ? + * | { } [ ] ( ) " \ The character * is also used for prefix searches. Any reserved character (including a backslash) can be escaped with a backslash (for example, "\*"). Any characters (except double quotes) are interpreted literally when surrounded by double quotes. A period “.” can be used to represent any character. The plus sign "+" can be used to repeat the preceding shortest pattern once or more times. The asterisk "*" can be used to match the preceding shortest pattern zero-or-more times. FireEye, Inc. 6 TAP User Guide The question mark "?" makes the preceding shortest pattern optional. It matches zero or one times. Curly brackets "{}" can be used to specify a minimum and (optionally) a maximum number of times the preceding shortest pattern can repeat. The allowed forms are: l l l {5} # repeat exactly 5 times {2,5} # repeat at least twice and at most 5 times {2,} # repeat at least twice Parentheses "()" can be used to form sub-patterns. The pipe symbol "|" acts as an OR operator. The match will succeed if the pattern on either the left-hand side OR the right-hand side matches. The alternation applies to the longest pattern, not the shortest. Ranges of potential characters may be represented as character classes by enclosing them in square brackets "[]". A leading ^ negates the character class. The allowed forms are: l l l l l l l l [abc] # 'a' or 'b' or 'c' [a-c] # 'a' or 'b' or 'c' [-abc] # '-' or 'a' or 'b' or 'c' [abc\-] # '-' or 'a' or 'b' or 'c' [^a-c] # any character except 'a' or 'b' or 'c' [^a-c] # any character except 'a' or 'b' or 'c' [-abc] # '-' or 'a' or 'b' or 'c' [abc\-] # '-' or 'a' or 'b' or 'c' Note that the dash "-" indicates a range of characters, unless it is the first character or if it is escaped with a backslash. Filters MQL supports filtering on data that exists in a given field and data that is missing from a given field. Including the keyword “has” in a search query followed by a field name filters out events which do not have that field. For example: has:dstcity Including the keyword “missing” in a search query followed by a field name filters out events which have that field. For example: missing:dstcity FireEye, Inc. 7 TAP User Guide Directives Directives are modifiers that instruct the search engine how to query. Directives include: l l l l l l Limit. Limit indicates the number of results to return. A limit of zero (which is the default) means that all results are returned. Note: The default value for limit is ten when in quick mode. Offset. Offset indicates how far into a result set to go before returning results Cutoff. Cutoff tells the search engine to stop searching after finding the indicated number of records. The results will not be as accurate but will be returned faster. Start. Start represents the earliest timestamp to return. End. End represents the latest timestamp to return. Sort. Sort indicates the field on which to order the events returned. Multiple fields can be indicated with a comma (,). Sort has two options to indicate direction of the sort: ascending (designated by “[asc]”) or descending (designated by “[desc]”) For example: start:yesterday end:today limit:10 offset:10 sort:timestamp [desc],bytes_in[asc] cutoff:10 Transforms A transform allows you to pass the results of a query through a function, which will add, remove, or modify your search results. Transforms are separated in a query by “|”. Queries can include multiple transforms. Transforms include: l l Groupby Histogram Groupby Groupby returns the unique values for a given field and the count of the distinct values. The events returned by the search when you use a groupby are representative events which are grouped. The syntax for groupby is: <search> | groupby field_name [integer] Field_name is any string comprised of letters and numbers and special characters. A positive integer searches for the most frequent occurrences. A negative integer searches for the least frequent occurrences. You can specify a second integer to designate a minimum count threshold. The integer argument is optional. For example: rawmsg:dyn* | groupby srcipv4 10 1000 Returns the top ten srcipv4s which have at least 1000 occurrences. FireEye, Inc. 8 TAP User Guide tcp | groupby dstport 10 1000 Returns the 10 most frequent ports which also have counts greater than 1000 rawmsg:dyn* | groupby srcipv4 -10 Returns the top 10 scripv4s with the least number number of occurrences tcp | groupby dstport 110 1000 Returns the 10 least frequent ports which also have counts greater than 1000 Histogram To return the search results as a histogram (i.e., a graphical representation of the distribution of data), use the histogram transform. There are two types of histograms: l l Date histogram Field value histogram Date histogram has the following syntax: <search> | histogram eventtime interval] Where interval is one of the following: l l l l l l l l l l l ‘1d’ ‘1h’ ‘1w’ ‘day’ ‘hour’ ‘minute’ ‘month’ ‘quarter’ ‘week’ ‘year’ ‘datetime’ Field histogram has the following syntax: <search> | histogram keyword integer For example: tcp | groupby class | histogram bytes_in 500 Taxonomy Because log data within an environment varies widely, TAP imposes a high-level standardized view of events and normalizes the data. This allows you to craft queries and to interact with the data in a more predictable, standardized way, such as searching and creating rules. FireEye, Inc. 9 TAP User Guide Log data from each device is run through a parser if one is available. Parsers separate the data in events into fields and label though fields according to the taxonomy. The taxonomy names and defines types of data that appear in events. The TAP taxonomy serves as the “dictionary” for the TAP parsers that normalize the event data. TAP parses event data so that it is more easily compared and available to use as a pivot in searches. Meta-Classes and Classes Classes in the TAP taxonomy represent types of events or log sources. For example, a synthetic event created by an intel hit has the class “Intel_hit”. A meta-class is simply a generic class name that refers to events from one or more actual classes in TAP. Having meta-classes, allows you to refer to specific types of events without knowing in which class they actually exist. For example, if you have both Bluecoat HTTP proxies and a Palo Alto firewall with HTTP inspection enabled, your event data may have classes called “bluecoat” and “palo_alto_http”. Both contain similar data (i.e., logs of their own users browsing websites on the Internet). You can search either or both of these classes directly, but then you must remember to use a query like “class=bluecoat OR class=palo_alto_http”, which is more complicated and therefore they are more likely to make mistakes. Instead you can use the meta-class called http_proxy, which can reference records from both classes. In other words, the search “class=http_proxy” is the equivalent of “classs=bluecoat OR class=palo_alto_http”, but is easier to remember and type. Fields Field names in MQL queries consist of a string of letters and numbers. Each distinct field is the string up to a white space or a string within quotes “”. Field names are determined by the taxonomy. They are not case sensitive and can be either lowercase or uppercase. Fields containing strings that have not been normalized (i.e., parsed using a TAP parser against the taxonomy) will match only on the entire contents of the field. All parsed fields (i.e., fields designated by a TAP parser against the taxonomy) will match on partial values. All events in TAP (whether part of a class or meta-class) have the following fields: l l l l l l rawmsg rawmsgid rawmsghostip or rawmsghostipv6 rawmsgtimeutc class classid If the field does not apply to that event, that field is still present, but has no value. Please refer to the Master MAP Taxonomy v2.xlsx for a description of what these fields mean. FireEye, Inc. 10 TAP User Guide Aliases MQL Syntax recognizes aliases for field names. The alias searches for all fields that are designated as corresponding to that alias. Using an alias allows you to search for multiple fields at the same time without knowing the exact field name of each field. An alias will match on any field which it represents. Caution: We recommend using aliases sparingly. While this type of query may be useful, it is a time intensive query to run because the search must look for every field that the alias represents. Note: If you want to search for specific multiple field name, use a list instead. Aliases include: l l l l l l l IP, SRCIP, and DSTIP Host ID MAC Port Interface Hash For example: hash=[hash or MD5 or SHA1 or SHA256 or SHA512] IP, SRCIP, DSTIP The alias ‘ip’ references fields which contain IP addresses such as: l l l l l l l l l l l l l l rawmsghostipv4 (IPv4 address of the host sending the raw message) rawmsghostipv6 (IPv6 address of the host sending the raw message) ip (general purpose field for representing an IPv4 address that is only used when source or destination is either unclear or unknown) srcipv4 (IPv4 address of the source) srcipv6 (IPv6 address of the source) dstipv4 (IPv4 address of the destination) dstipv6 (IPv6 address of the destination) cidr (Classless Inter-Domain Routing (CIDR) notation) transsrcip (Translated IPv4 address of the source) transsdstip (Translated IPv4 address of the destination) defgw (Default gateway typically referenced in network events) ipmask (IP network mask) intnatip (Internal NAT IP address used in NAT logs) extnatip (External NAT IP address used in NAT logs) FireEye, Inc. 11 TAP User Guide l l l xfwdforip (X-forwarded-for header value, comman+ space delimited if more than one) callingsrcip (Source IP of a remote calling identity, typically observed in Windows event logs as calling address) targetip (Typically observed in host IDS/IPS, AV, and other logs when referencing a targeted system or user For example: ip=215.18.25.33 ip:215.18.25.0/24 Like IP, the alias ‘srcip’ references keywords that have directional orientation as being a source IP value of some sort such as: l l l l l rawmsghostipv4 (IPv4 address of the host sending the raw message) rawmsghostipv6 (IPv6 address of the host sending the raw message) srcipv4 (IPv4 address of the source) srcipv6 (IPv6 address of the source) transsrcip (Translated IPv4 address of the source) For example: srcip:25.18.25.33 Like IP, the alias ‘dstip’ references keywords that have directional orientation as being a destination IP value of some sort such as: l l l dstipv4 (IPv4 address of the destination) dstipv6 (IPv6 address of the destination) transsdstip (Translated IPv4 address of the destination) For example: dstip=215.18.25.33 Host The ‘host’ alias references all keywords for a hostname. You can search for the complete hostname or portion of a fully qualified hostname. HOST references such fields as: l l l l rawmsghostname (Hostname, when available, of the host sending the raw message. In some cases, this may be a log relay or forwarder.) targethost (Typically observed in IDS/IPS, AV, and other logs when referencing a targeted system or user) hostname (Hostname which is used whenever the source or destination is unclear or unknown) srchost (Hostname of the source machine when direction is known and/or relevant which typically resolve to srcip or srcipv6) FireEye, Inc. 12 TAP User Guide l l l l l l desthost (Hostname of the destination machine when direction is known and/or relevant which typically resolve to dstip or desipv6) server (Hostname for when srchost or dsthost do not apply such as a central management server, proxy, router serving a nondirectional role) node (Hostname for specific references to a node that is typically a sensor node) agent (Name of an agent) sensor (Name of a sensor) workstation (Name of workstation which is used only when hostname is already used and workstation is explicitly declared) For example: host=corp-12345 host:subdomain host=mycompany.com host:copr-12345.subdomain.mycompany.com ID The ‘id’ alias is a generic term for referencing all keywords that contain some type of ID. ID references such keywords as: l l l l l l l l l l l l l l l l l l l l classid (Class ID for event collection) eventid (Specific event identifier ) protoid (Numerical representation of a protocol (6=TCP, 17=UDP, 47=GRE, etc.) ) connectionid (Specific connection identifier) transactionid (Specific transaction identifier) sessionid (Specific session identifier) deviceid (Specific device identifier) agentid (Specific agent identifier ) accountid (Specific account identifier) uid (Used when a given user (i.e. joesample) also has a unique user ID or GUID (i.e., 9473)) gid (Specific group identifier) policyid (Specific policy identifier) portid (Specific port id or terminal port id ) pid (Specific process ID, typically used for application PIDs) ppid (Specific parent process ID, typically used for application PPIDs) ruleid (Rule or Signature ID containing a unique ID for a given rule or signature) referenceid (Specific reference ID relating 2 or more things together) requestid (Specific request ID, specifying the identifier of a given request) callid (Specific call identifier) handleid (Specific handle identifier, referring to process handle IDs) FireEye, Inc. 13 TAP User Guide l l l l l l l l l l l l operationid (Specific operation identifier) callinguid (User ID of a remote calling identity, typically observed in windows event logs as calling id cveid (Common Vulnerabilities and Exposures identifier, can be referenced by either reference number or year) processid (Specific process identifier) creatorprocessid (Specific creator process identifier) threadid (Specific thread identifier) stationid (Specific station identifier) fileid (Specific file identifier) parentfileid (Specific parent file identifier. In Bro logs, this is the identifier associated with a container file from which the child (fileid) was extracted as part of the file analysis) sentfileid (Sent File identifier, found in Bro http logs as the orig_fuids value, indicates the file identifier of a file pertaining to an originator) rcvdfileid. (Received File identifier, found in Bro http logs as the resp_fuids value, indicates the file identifier of a file pertaining to a receiver) lastalertid (In Bro ssl logs, the last_alert field is the last alert that was seen during the connection) For example: id:5649 MAC The ‘mac’ alias allows you to search for MAC regardless of hex value delimiter format and include such keywords as: l l l l mac (General purpose field for MAC address, used whenever) macoui (Organizationally Unique Identifier of a MAC address) srcmac (MAC address of the source when direction is known) dstmac (MAC address of the destination when direction is known) You can search by the OUI portion of the MAC address also. For example: mac=01:23:45:67:89:ab mac:01-23-45 Port The ‘port’ alias references keywords that contain a network port value such as: l l srcport (Source port number) dstport (Destination port number) FireEye, Inc. 14 TAP User Guide l l transsrcport (Translated source port number) transdstport (Translated destination port number) For example: port=80 Interface The ‘interface’ alias references keywords that contain a network interface value such as: l l l interface (Logical or physical network interface used for communications (eth0, eth1, etc) when orientation is unknown) localinterface (Local interface identifier, typcially network or firewall events specifying interface orientation) loreigninterface (Foreign interface identifier, typically network or firewall events specifying interface orientation) For example: (interface=eth0 or interface=eth1) and ip=22.33.44.55 Hash The ‘hash’ alias references keywords that contain a cryptographic hash value and can be used in cases where you have not memorized or do not know the specific cyrptographic hash algorithm used to generate the hash such as: l l l l l hash (General purpose field for storing any type of message digest hash value) MD5 (computed MD5 hash of an object) SHA1 (computed SHA1 hash of an object) SHA256 (computed SHA256 has of an object) SHA512 (computed SHA512 has of an object) For example: hash=24a938a1fcc5df0a7e78267aac0a41ca Intel Hit Searches Each intel hit creates a synthetic event with the class of “intel_hit”. To find all events that are intel hits, run the query class=intel_hit and select specific dates in the Search box. To further refine the intel_hits that the search returns: l l Type. To see the number of hits that are based on commodity and curated intelligence, use the query class=intel_hit | groupby type. Intelscore. To see the number of intel hits with an intelligence score (i.e., low, medium, high, or critical) use the query class=intel_hit | groupby intelscore FireEye, Inc. 15 TAP User Guide l Malware family. To show how many intel hits are from a specific intel malware family, use the query class=intel_hit | groupby intelmalwarefamily (replacing intelmalwarefamily with the family name) FireEye, Inc. 16 TAP User Guide Rules A TAP rule is a search query that is run automatically to locate matches (aka “hits”). When matches are found, the rule generates an alert based on the rule’s frequency and distinguishers. Threshold and time window options work together to determine the frequency with which the rule generates an alert. The threshold is the number of times that an rule must hit within the time window specified for an alert to be generated. For example, if the rule generates five hits (i.e., it matches five different events) within one hour then an alert is generated. A distinguisher is a field in an event that a rule uses to differentiate hits for the purpose of creating alerts. The distinguisher is typically a hostname or IP address but can be any field. In the case where there are multiple events referring to the same type of activity, you might want to have a single alert instead of multiple alerts. For example, you have a rule that detects RAR files being transferred over the network. You do not want an alert for each time a RAR file is transferred from the same host. By adding “scrip” (source IP) to the rule, then only one alert is generated for each host sending RAR files. You can also have a single rule generates multiple alerts based on its distinguishers. For example, a rule has two distinguishers: source IP and destination IP. For every combination of srcIP and dstIP found to match the rule criteria, TAP will create an alert. Each rule is assigned a unique ID for tracking. To be effective, some rules require events from specific types of log sources and the events must be parsed. There are two types of rules: l l FireEye-defined rules. FireEye experts create rules within rule packs to attempt to detect a wide range of malicious activities. Customer-defined rules. You can use custom-defined rules to detect events specific to your environment and organizational needs and generate alerts based on those rules. Rule Packs Rules are grouped together into Rule Packs. Rule Packs serve as containers for groups of rules. FireEye-defined rules are assigned to FireEye rules packs. Any rules that you define can only be assigned to rule packs that you define. To create a rule pack, select Rule Packs at the top of the Rules page then click Create New Rule Pack. On the Create New Rule Pack window, enter a name for the rule pack. FireEye, Inc. 17 TAP User Guide Once you have created a rule pack, you can assign a rule to it when the rule is created or by updating the rule. View Rules To view the details for a rule as well as its revision history, select View/Edit from the action menu when the rule is selected on the Rules page. Enable and Disable Rules Individual rules as well as all the rules within a rule pack can be enabled and disabled. If a rule is producing lots of false positive alerts, you may decide to disable. When displaying Rules, the Rules page indicates whether a rule is enabled or disabled. To change its status, select the Rule, click the action icon, and select either Enable or Disable. When displaying Rule Packs, the Rules page indicates the number of enabled and disabled rules within each rule pack. To change all the rules in a rule pack to either enabled or disabled, select the rule pack, click the action icon, and select Disable All or Enable All. Create User-Defined Rules There are two ways for you to create new rules in TAP: l l Create a rule on the Rules page Create a rule from a search on the Search bar When creating a rule, specify the following on the Create New Rule window: l l l l l Name Status of enabled or disabled Description Query. When creating a rule from the Search bar, the query will be the query used to find the search results. Distinguisher. A distinguisher is a field in an event that a rule uses to differentiate hits for the purpose of creating alerts. The distinguisher is typically a hostname or IP address but can be any field.In the case where there are multiple events referring to the same type of activity, you might want to have a single alert instead of multiple alerts. For example, you have a rule that detects RAR files being transferred over the network. You do not want an alert for each time a RAR file is transferred from the same host. By adding “scrip” (source IP) to the rule, then only one alert is generated for each host sending RAR files.You can also have a single rule generates multiple alerts based on its distinguishers. For example, a rule has two distinguishers: source IP and destination IP. For every combination of srcIP and dstIP found to match the rule criteria, TAP will create an alert. FireEye, Inc. 18 TAP User Guide l l l l Threshold as a number and time window as a number then select hours, minutes, or seconds as the amount of time. Threshold and time window options work together to determine the frequency with which the rule generates an alert. The threshold is the number of times that an rule must hit within the time window specified for an alert to be generated. For example, if the rule generates five hits (i.e., it matches five different events) within one hour then an alert is generated. Rule pack Confidence, which can be low, medium, or high, indicates how likely it is that the rule will detect events that correspond to the type of activity anticipated (i.e., likelihood that the rule will produce true positives). Severity, which can be low, medium, or high, indicates how much of an impact a hit with this rule could have on an organization if verified to be a true positive. The confidence and severity combine to form the risk attribute of the alert. Update User-Defined Rules FireEye-defined rules can be enabled or disabled but not updated. Any rules that you create can be enabled or disabled and updated. To update a rule that you have created, click Edit when viewing a rule. The options on the Update Rule window are the same as when a new rule is created. Delete Rules To delete a rule or a rule pack, select it on the Rules page and from the action menu, select Delete. Caution: This action cannot be undone. Deleting a rule pack deletes all the rules that are in that rule pack. Import and Export Rules Rules must be in .json format to be imported. To import a rule, when viewing rules on the Rules page, click Import to open the Import Rule window. You can either select a rule pack to which the new rule will be added or select the option to have the rule pack identified in the rule being imported. Choose a .json file to import. Rules are exported in .txt format. To export a rule, click Export when viewing the rule. FireEye, Inc. 19 TAP User Guide Alerts An alert is a notification that at least one event of interest has occurred. The event or events may have possible security impacts or may be of interest based on some other criteria that you have defined. Alerts can be considered possible candidates for incidents. Alerts originated from one of the following: l l l FireEye-defined rules User-defined rules Intel hits TAPS assigns each alert one of the following risk values: l l l l Critical High Medium Low Risk describes the overall potential risk to the organization if the alert is a true positive. It is typically used to prioritize alert verification and response activities. Suppress Alerts There may be situations in which you prefer not to see specific alerts; for example, alerts may continue to appear while an incident responder is actively engaged in responding to a potential compromise. TAP give you the option to suppress any alert’s that match an existing alert’s origin, trigger, and distinguishers for 1 hour, 12 hours, 24 hours, 2 days, 3 days, 1 week, 2 weeks, or 1 month. A suppressed alert does not appear anywhere in TAP. To suppress an alert, select the alert on the Alerts page and select Suppress from the action menu. On the Suppress Alert window, select a time frame. Add Alerts to Incidents After determining that an alert requires further action, you can convert it to an incident by using it to create a new incident. When an alert is added to an incident, the status of the alert changes to Closed. FireEye, Inc. 20 TAP User Guide Incidents An incident is a grouping of one or more events or alerts that combine to describe a situation that needs further investigation. An incident may contain multiple alerts. For example, a targeted attack by a single attacker may generate multiple alerts because different hosts across the environment were compromised but all those alerts could be added to a single incident that is then assigned to one person who leads the response. Incidents have the following characteristics: l l l l Priority. Like risks associated with alerts, priority can be critical, high, medium, or low to provide an indication of the order in which the incident should be examined in regards to other incidents. Classification. Classification provides a mechanism for labeling the type of incident and includes the following labels: testing/demonstration, unauthorized access, denial of service, malicious code, policy violation or poor practice, reconnaissance, phishing, and other. Status. Status designates the stage of the investigation and includes declared, scoped, contained, recovered, and improved. Assignee. Any TAP user can be designated as the assignee. Assigning an incident to one person avoids the issue of multiple people responding to the same issue and duplicating efforts unnecessarily. Create New Incident TAP has three ways to create a new incident: 1. Create an incident on the Incident page then manually add events 2. Select events based on search results and use those events to create a new incident 3. Convert an alert and its corresponding events into an incident To create an incident on the Incidents page, click Create New Incident. On the Create New Incident window, enter a name and description. Select the priority, classification, and initial status for the incident. Then add events to it. To create an incident using events from a search, on the Search page, select events from the Search results and click Add to Incident. The Create New Incident window opens with the associated events listed. Select create new incident then complete the name and description and select priority, classification, and initial status for the incident. To create an incident by using an alert and its associated events, select an alert and under the action menu click Add to Incident. The details for alert map to the details for the incident with risk for the alert mapping to priority for the incident. FireEye, Inc. 21 TAP User Guide Add Events to Existing Incident After running a search, you can add the events found to any existing incident. Select the events on the Search page and click Add to Incident. Select the incident to which you want to add the events. Assign Incident and Investigate Any user in TAP can be assigned to an incident. To designate an assignee for an incident, select it on the Incidents page and under the action icon select View/Edit. Select a new status from the drop-down menu. During the course of the investigation, you can also update the incident’s severity and classification if needed. To update an incident, select it on the Incidents page and under the action icon select View/Edit. Click Edit to open the Edit Incident window and make any needed changes. View Alert Details New alerts are displayed prominently in an Alert box on the Dashboard page. The Alerts page shows metrics on alerts such as the summary of active alerts and the highest daily number of alerts and average number of daily alerts as well as a list of alerts that you can filter by status. For each alert, additional details are available by clicking the action icon and selecting View Details. FireEye, Inc. 22 TAP User Guide
© Copyright 2024