Use Query Results Limits in Investigations - Tutorial
This tutorial explains how to utilize query result limits for your investigation queries.
In this tutorial, you create a query to investigate all browser activity. In this scenario, instead of running separate queries - each with a separate filter for a suspicious behavior for which you want to hunt - you create a query for all browser activities, and add columns in the results for the Features about which you want to have visibility.
However, because browsers are used so frequently, this query can potentially return a large amount of records. You can add limits to help manage the results list in a more manageable way.
The sample results displayed in this tutorial represent a demonstration environment. Your environment will contain different results, but you can still practice the steps in a meaningful way in your environment.
Build and run the query
In this scenario, you build a very simple query, and then add columns.
In your Cybereason platform, navigate to the Investigation screen.
In the Investigation screen, in the query builder, add a Process Element.
Below the Process Element, in the Search for filters field, enter Product type and select it from the dropdown list.
Select is.
From the list of possible values, select Browser.
Below the Search for filters field, click Edit columns.
In the Edit columns dialog box, in the upper right corner, in the Search all columns field, enter Has opened socket.
Select the Has opened socket option.
Follow the previous two steps to add additional columns for:
Has Malicious Connection
Rare remote address evidence
High Data Transmitted
Many internal connections
You can use numerous other columns (Features) as desired.
Click Get results.
The Cybereason platform runs the query. Depending on how many sensors you have in your environment, this query may take some time to return results.
Add query results
After you run the query, you receive a large number of results, more than you can probably analyze. To help with this, you can add query limits:
Above the results list, click Limit results. The Limit results dialog box opens.
In the Limit results dialog box, adjust the results limit slider to 10k. This ensures that the Cybereason platform only returns 10,000 total results (although there may be more).
Below the slider, select Sample results. This option enables the Cybereason platform to sample groups of very similar results up to 1% of the total number of results instead of returning all similar results. This frees up the platform to return more unique results.
Below the Sample results option, add a time limit of 90 seconds. This ensures that the results only include data from sensors that returned information within a 90 second period. Setting a timeout period ensures that you do not overload your server for such a broad query.
Click Apply. The Cybereason platform returns the results based on the new criteria.
As you adjust the criteria, you should see a difference in the number of results.
Limit results by time
In addition to filtering result totals, you can also limit (or filter) results by time.
To limit results by time, follow these steps:
Above the results grid, to the right of the query builder, locate the Timeline section.
In the Timeline section, select Existed.
Next to the Existed option, select Last week. This revised the results instantly for results that existed in the past week. If you run the query on a regular basis, this option enables you to view only the most up-to-date results instead of reviewing results you previously analyzed.
Use these time-based filters to help you narrow and analyze only the most meaningful results.