Advanced configuration
Using Investigations
Working with Investigations
- What is the Investigations feature?
- Schema
- Using Metaevent Filters
- Setting up Investigations with Hadoop HttpFS
- Getting Investigations data via GCP/BigQuery
- Setting up Presto for Investigations
- Setting up Investigations with Hadoop
- Integrating External Data with Investigations Using Amazon S3 and Athena
- Investigations Sensitive Data Redactions
- Getting Investigations data via HDFS/Presto
- Getting Investigations data via S3/Athena
Investigations Examples
- Recent Outbound Host-Port Connections
- New Outbound Host Connections
- Running Containers and Container Lifespan
- What Commands Did Users Type By Host (History Evasion)
- Which Users Logged into Which Hosts
- Find Files Affected by Container
- Files and Processes Responsible for File State
- Child Process Activity Around Time of Alert
- Parent Process Activity Around Time of Alert
- Process Activity Around Time of Incident
- External-bound Network Traffic - IPv4 - With Allowed Exceptions
- External-bound Network Traffic - IPv6
- External-bound Network Traffic - IPv4
- Known Malicious Host
- Post incident investigation
Mitre Examples
- T1049 System Network Connection Discovery Program
- T1542.003 Bootkit
- T1069 Permission Group Discovery Program
- T1070.003 Clear Command History
- T1018 Remote System Discovery Policy
- T1136 Create Account-File
- T1136 Create Account-Program
- T1059 Command and Scripting Interpreter
- T1082 System Information Discovery- Program Blacklist
- T1053 Local Job Scheduling-File Write
- T1546.004 Bash Profile And Bashrc
- T1553.004 Install Root Certificate
- T1027.004 Compile After Delivery
- T1016 System Network Configuration Discovery-Program Blacklist
- T1046 Network Service Scanning
- T1040 Network Sniffing
- T1036.006 Space After Filename
- T1057 Process Discovery- Program Blacklist
- T1548.003 Sudo
- T1204 User Execution