Analyze Query Results

When you run a query in the Investigation screen, the columns in the results grid display various properties (Features and values) of each result. The Suspicion Icon indicates the number of suspicions associated with this Element. The Malop icon indicates the number of MalOps associated with this Element.

The Cybereason platform can potentially return a large number of results. Sorting through these results and finding the details that show malicious activity is an important part of hunting and investigating.

Sort and filter results

Once you have built and executed a query, you can sort the results or add additional filters to better analyze your data.

Sorting and filtering is useful when assessing distribution of various Feature values in a group of Elements, getting aggregated information for machines and user activity, viewing process execution order, and for many other activities.

Select the correct Element in the query builder

The platform displays the results by Element type. The results always show the type of the last (right-most) Element in the query chain unless a different Element is selected. Make sure you have a appropriate Element selected.

Filter by timeframe

The Timeline filter (created on/existed on) allows you to restrict results to items that were created or present within a specific time frame. The Timeline filter applies to all Elements in the query that have time-based components. This includes the Connection, LogonSession, MalopDetectionEvents, MalopProcess, and Process Elements. For example, if your query contains the Connection Element as well as the Process Element, the Timeline filter will consider the timestamp for both Elements when filtering by time.

Timeline

Use the buttons above the graph to quickly jump to a preset time frame (options include the last hour, 6 hours, 12 hours, or 24 hours, the last 3 or 7 days, or all data) or use the custom option. You can choose to include only items that were created within the time interval by selecting the Created radio button, or items that existed during that interval by selecting the Existed radio button. When you adjust the time frame, the results update to reflect your selection.

The bars on the Timeline represent the number of Elements that were created in the corresponding time frame.

Use the buttons to the right of the Timeline to zoom in, zoom out, or zoom to a specific selection.

Examples

Example

Steps

Investigate processes on a machine in a given time frame

  1. Select the Machine Element.

  2. Type the name of the machine you want to investigate.

  3. Select the Processes Element.

  4. Use the Custom button in the Timeline to select a time frame.

  5. Click Get results.

Investigate connections to port 443 in the last 24 hours

  1. Select the Connection Element.

  2. Start typing in the search bar, or browse the filters for ‘Remote port’.

  3. Type 443 in the search bar.

  4. Select Last 24 hours from the Timeline dropdown menu.

  5. Click Get results.

  6. Group the results by Machine to investigate which machines connected to port 443 in the last 24 hours.

Look for trends in file downloads

  1. Select the Process Element.

  2. Start typing in the search bar, or browse the filters for ‘Downloaded from Internet’. The Cybereason platform populates the search bar with ‘is True’.

  3. Click Get results. The Timeline shows trends in files being downloaded from the internet.

Filter by Suspicion

The Suspicions tab on the top right of the Investigation screen is active for Elements that have associated suspicions.

Suspicions

When you select a suspicion, the results update to reflect your selection. The grid is grouped by the Elements affected by the suspicion you selected, and shows the number of times that suspicion appears, as well as the number of suspicions.

Suspicions Grid

Filter by specific value in the results

You can narrow down the results of an on-going query by selecting individual values from the results to add to the filter box. For example, you may want to filter by a specific command line value you see in the Command line column.

To add a specific value to the current query, use Alt/Cmd and click on the value in the query results grid. The value is added as a filter to the filter box. The following screenshot shows the result of performing Alt/Cmd + click on a specific SHA1 value in the query results. The SHA1 filter is added to the filter box for the current query.

Add Filter

Columns whose values you can add to the filter box with the Alt/Cmd + click command contain a tool tip indicated by the information icon.

Tool tip

Customize results view

Limit query results

The Cybereason platform limits the results returned by a specific query to optimize query processing. The Showing label above the results list specifies how many results were returned by the server and how many results are estimated to exist in the environment.

Query Estimates

Limiting the number of results minimizes duplicates and allows for more relevant results. It’s important to understand the result numbers to better tailor your sorting and filtering efforts.

For best performance, Cybereason recommends keeping the default query settings. If you need to change the result limits for any reason, follow these steps:

  1. Select the Limit results button.

  2. Change the maximum number of results, toggle sampling, or change the time limit for query processing:

    Setting

    Description

    Default

    Role required

    Up to n results

    Specifies the maximum number of results to return with any single query.

    100

    L1, L2, L3

    Sample results

    Ensures a diverse result set. Each Element type uses a sampling Feature to ensure that no more than 1% of the results belong to the same sample.

    Enabled

    L3

    Time limit

    Specifies the maximum amount of time, in seconds, for a query to process. If query processing exceeds the limit, Cybereason returns partial results (along with a message informing you that results are not complete.)

    120 seconds (2 minutes)

    L3

Important

Changing these defaults may have severe implications on server performance and its fail-safe mechanisms.

Customize results per page

From the bottom of the Investigation screen you can specify how many results to display per page. Options are 100, 500, 1000, 2000, or 4000. You can also navigate between pages.

Investigation pagination

Manage columns

Click Edit columns to select the relevant columns to view in the results grid. The available columns depend on the selected Element.

Examples

Example

Steps

Investigate process execution times on a specific machine

  1. Select the Machine Element.

  2. In the search bar, type the name of the machine.

  3. Select the Processes Element.

  4. If the Creation time column is not present in the results grid, add it by clicking the Edit columns button.

  5. Click Get results.

  6. Group the results by Creation time to investigate when processes were executed.

Discover cumulative communication traffic for a set of machines

  1. Select the Connection Element.

  2. If the Owner machine, Transmitted bytes, and Received bytes columns are not present in the results grid, add them by clicking the Edit columns button.

  3. Click Get results.

  4. sGroup the results by Owner machine to investigate communication traffic.

Compare command-line distribution for a set of similar processes

  1. Select the Process Element.

  2. In the search bar, search for ‘cmd.exe’.

  3. If the Command line column is not present in the results grid, add it by clicking the Edit columns button.

  4. Click Get results.

  5. Group the results by the Command line column. The number in parentheses in the leftmost column is the number of instances with that particular command line.

Review the results

Once you have configured how you want the results to display, drill down into the results. Review a number of properties to help guide your analysis:

Analysis Area

Description

Frequency

A potentially easy area to spot something out of the ordinary is through frequency (although not always).

For example, if you are viewing process information, if you see a process running on many machines, there is a good chance it is a legitimate process such as operating system process. However, if there is an isolated process running on one machine, it may be worth investigating that process. Although the item may be benign, it is a starting point.

Suspicious indicators

For every Element, the Cybereason CMC Engine notes the evidence or suspicions associated with the Element:

Indication of Evidence and suspicions for query results

Evidence and suspicions use proprietary detection rules to find questionable behaviors. If an Element has a large number of these, it gives you a point to explore further.

Element characteristics

For each result, the Element details show the properties of the Element and related Elements.

Check the results to see if characteristics are what you expect.

Example of Element characteristics in the query results

Using the results in the grid and viewing the Element details, see if characteristics are what you expect.

Attack Tree

For Process Elements, you can view the Attack Tree which gives a chain of execution from start to finish. Analyze these processes to see if you see suspicious activity. For details on using the Attack Tree for analysis, see Hunt with the Attack Tree.

For details on other potential avenues of investigating Elements, see Analyze MalOps and Determine Threat Level.

Export results to a CSV file

Export your investigation query results using the Export CSV button on the top right of the results grid. Columns in the exported CSV file match the columns in the UI as shown during your browser session. As a result, details in the file may be out of sync with current server data.

In addition to the UI columns, the exported CSV includes a message noting if the column contains multiple items, for example, multiple processes.

You can ask Technical Support to configure that items’ timestamps are displayed in absolute time, in the format YYYY-MM-DD hh:mm:ss:000+hh:mm.

Customers with the new Data Platform infrastructure can configure how many results are exported (up to 80,000). To understand when the new Data Platform infrastructure will be available to you, please contact your Customer Success representative.

Investigate individual Elements

After you build and run a query, you can investigate each result in the results grid. When you select a result, the Element details screen opens and displays correlated data about the result.

Element Details Screen

Details for the selected Element are categorized differently depending on the Element. For example, if you view details for a logon sessions, the Details screen shows Properties, Reputation, Local Machine, and User sections.

Some of the information is clickable, enabling you to view specific details about that Element or to download a file.

Download files

In many cases, you can download files from the Element details screen to conduct a deeper investigation of the file locally. You can download any type of executable file, which are download in PE (Portable Executable) format.

To download and open a file:

  1. Access the Element details screen by clicking an Element in the results of an investigation.

  2. In the Element details screen select a file available for download and click Download 1 Element, as shown below.

    Download file from Details Screen

  3. Access the file by clicking the download icon Download file in the top right of the Cybereason UI. The file downloads as a zip file containing a .METADATA file and an additional password-protected zip file containing the file you downloaded. To open the package containing the file you downloaded, open the .METADATA file and use the password listed under “password for safe file access”. Read our Knowledgebase article for an example.

    When you open the downloaded archive folder, ensure you use a program, such as Zip or WinRAR, that enable you to open and view the folder contents and add a password as part of their standard use.

Note

You can download files up to 2 GB in size. To change the default file download size, consult Technical Support. If you have multiple Detection servers, the property must be updated on each server and each server must be restarted.

Process aggregation - sensor for Linux

In many environments, machines run multiple process instances that are very similar to each other, such as system daemon processes. As Cybereason sensors send information about all a machine’s processes to the Detection and WebApp servers, this can flood the system with large amounts of irrelevant data.

To address this issue, sensors running on Linux group similar process instances into an entity called an aggregated process. The Sensor sends the aggregated process to the Detection and WebApp servers. The results display the aggregated process instead of many similar processes. This reduces noise and helps analysts focus on relevant data. It can also improve performance by reducing network bandwidth and server data storage and processing.

By default, sensors aggregate processes based on a set of parameters. Technical Support can help you modify these parameters if needed.

The aggregated process appears in the query results like a regular process, with the following differences:

  • It does not have a PID.

  • The new Is Aggregated field has the value True.

  • It includes information in the columns Number of aggregated instances, Instances in last minute, and Time of last process in group.

Aggregated process in query results:

Aggregated Process

Process Details of aggregated process:

Aggregated Process