Events database threat hunting

When managing the program web interface, you can generate search queries and use IOC files to search the events database for threats, for tenants to whose data you have access.

To form search queries through the events database, you can use design mode or source code mode.

In design mode, you can create and modify search queries using drop-down lists with options for the type of field value and operators.

In source code mode, you can create and modify search queries using text commands.

You can upload an IOC file and search for events based on conditions defined in this IOC file.

Users with the Senior security officer, Security officer roles can also create TAA (IOA) rules based on event search conditions.

Searching events in source code mode

To define event search conditions in source code mode:

1. Select the Threat Hunting section, Source code tab in the program web interface window.

   This opens a form containing the field for entering event search conditions in source code mode.

2. Enter the event search conditions using commands, the logical operators OR and AND, and parentheses for creating groups of conditions.

   Commands must match the following syntax: <field type> <comparison operator> <field value>.

   Example: EventType = "filechange" AND ( FileName CONTAINS "example" OR UserName = "example" )

3. If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
   • Any time, if you want the table to display events found for any period of time.
   • Last hour, if you want the table to display events that were found during the last hour.
   • Last day, if you want the table to display events found during the last day.
   • Custom range, if you want the table to display events found during the period you specify.
4. If you selected Custom range:
   1. In the calendar that opens, specify the start and end dates of the event display range.
   2. Click Apply.

   The calendar closes.

5. Click Search.

   The table of events that satisfy the search criteria is displayed.

   If you are using the

   distributed solution and

   

   Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

   

   Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

   multitenancy mode

   

   Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

   

   Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

   , found events are grouped in tiers: Server – Tenant names – Server names.

6. Click the name of the server for which you want to view events.

The host table of the selected server is displayed. Event grouping levels are displayed above the table.

Searching events in design mode

To define event search conditions in design mode:

1. Select the Threat Hunting section, Builder tab in the program web interface window.

   This opens the event search form.

2. In the drop-down list, select an event search criterion.

   Available event search criteria

   • Under General details:
     • Host is the host name.
     • HostIP is the IP address of the host.
     • EventType is the type of the event.
     • UserName is the name of the user.
     • OsFamily is the family of the operating system.
     • OsVersion is the version of the operating system being used on the host.
   • Under TAA properties:
     • IOAId is the TAA (IOA) rule ID.
     • IOATag is the information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
     • IOATechnique is the MITRE technique.
     • IOATactics is the MITRE tactic.
     • IOAImportance is the importance level that is assigned to an event generated using this TAA (IOA) rule.
     • IOAConfidence is the level of confidence depending on the likelihood of false alarms caused by the rule.
   • Under File properties:
     • CreationTime is the event creation time.
     • FileName is the name of the file.
     • FilePath is the path to the directory where the file is located.
     • FileFullName is the full path to the file. Includes the path to the directory and the file name.
     • ModificationTime is the file modification time.
     • FileSize is the size of the file.
     • MD5 is the MD5 hash of the file.
     • SHA256 is the SHA256 hash of the file.
     • SimilarDLLPath is the next DLL on the search path. A malicious DLL placed in a directory on the standard search path to make the operating system load it before the original DLL.
   • Under Linux processes:
     • LogonRemoteHost is the IP address of the host that initiated remote access.
     • RealUserName is the name of the user assigned when the user was registered in the system.
     • EffectiveUserName is the user name that was used to log in to the system.
     • Environment is system environment variables.
     • ProcessType is the type of the process.
     • OperationResult is the type of the operation.
   • Under Process started:
     • PID is the process ID.
     • ParentFileFullName is the path to the parent process file.
     • ParentMD5 is the MD5 hash of the parent process file.
     • ParentSHA256 is the SHA256 hash of the parent process file.
     • StartupParameters is the options that the process was started with.
     • ParentPID is the parent process ID.
   • Under Remote connection:
     • HTTPMethod is the HTTP request method. For example, Get, Post, or Connect.
     • ConnectionDirection is the direction of the connection (inbound or outbound).
     • LocalIP is the IP address of the local computer from which the remote connection attempt was made.
     • LocalPort is the IP address of the local computer from which the remote connection attempt was made.
     • RemoteHostName is the name of the computer that was the target of the remote connection attempt.
     • RemoteIP is the IP address of the computer that was the target of the remote connection attempt.
     • RemotePort is the port of the computer that was the target of the remote connection attempt.
     • URl is the address of the resource to which the HTTP request was made.
   • Under Registry modified:
     • RegistryKey is the registry key.
     • RegistryValueName is the name of the registry value.
     • RegistryValue is the data of the registry value.
     • RegistryOperationType is the type of the operation with the registry.
     • RegistryPreviousKey is the previous registry key.
     • RegistryPreviousValue is the previous name of the registry value.
   • Under System event log:
     • WinLogEventID is the type ID of the security event in the Windows log.
     • LinuxEventType is the type of the event.
     • WinLogName is the name of the log.
     • WinLogEventRecordID is the log entry ID.
     • WinLogProviderName is the ID of the system that logged the event.
     • WinLogTargetDomainName is the domain name of the remote computer.
     • WinLogObjectName is the name of the object that initiated the event.
     • WinlogPackageName is the name of the package that initiated the event.
     • WinLogProcessName is the name of the process that initiated the event.
   • Under Detect and processing result:
     • DetectName is the name of the detected object.
     • RecordID is the ID of the triggered rule.
     • ProcessingMode is the scanning mode.
     • ObjectName is the name of the object.
     • ObjectType is the type of the object.
     • ThreatStatus is the detection mode.
     • UntreatedReason is the event processing status.
     • ObjectContent (for AMSI events too) is the content of the script sent for scanning.
     • ObjectContentType (for AMSI events too) is the type of script content.
   • Under Console interactive input:
     • InteractiveInputText is the text entered on the command line.
     • InteractiveInputType is the input type (console or pipe).
   • Under File changed:
     • FileOperationType is the type of the file operation.
     • FilePreviousPath is the path to the directory where the file was previously located.
     • FilePreviousFullName is the full name of the file including the path to the directory where the file was previously located and/or the previous file name.
     • DroppedFileType is the type of the modified file.
3. In the drop-down list, select a comparison operator.

   Available comparison operators

   • =
   • !=
   • CONTAINS
   • !CONTAINS
   • STARTS
   • !STARTS
   • ENDS
   • !ENDS
   • >
   • <

   Each type of value of the field has its own relevant set of comparison operators. For example, when the EventType field value type is selected, the = and != operators will be available.

4. Depending on the selected type of field value, perform one of the following actions:
   • In the field, specify one or several characters by which you want to perform an event search.
   • In the drop-down list, select the field value option by which you want to perform an event search.

   For example, to search for a full match based on a user name, enter the user name.

5. If you want to add a new condition, use the AND or OR logical operator and repeat the necessary actions for adding a condition.
6. If you want to add a group of conditions, click the Group button and repeat the actions necessary for adding conditions.
7. If you want to delete a group of conditions, click the Remove group button.
8. If you want to search events that occurred during a specific period, in the Any time drop-down list select one of the following event search periods:
   • Any time, if you want the table to display events found for any period of time.
   • Last hour, if you want the table to display events that were found during the last hour.
   • Last day, if you want the table to display events found during the last day.
   • Custom range, if you want the table to display events found during the period you specify.
9. If you selected Custom range:
   1. In the calendar that opens, specify the start and end dates of the event display range.
   2. Click Apply.

   The calendar closes.

10. Click Search.

    The table of events that satisfy the search criteria is displayed.

    If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.

11. Click the name of the server for which you want to view events.

The host table of the selected server is displayed. Event grouping levels are displayed above the table.

Sorting events in the table

You can sort events in the table by the Event time, Event type, Host, and User name columns.

To sort events in the event table:

1. Select the Threat Hunting section in the program web interface window.

   This opens the Threat Hunting window.

2. Define the criteria for searching events in design mode or source code mode.

   The table of events that satisfy the search criteria is displayed.

3. If you want to sort events by time, click one of the icons to the right of the Event time column name:
   •   to display newer events at the top of the table.
   •   to display older events at the top of the table.
4. If you want to sort events by the event type name, click one of the icons to the right of the Event type column heading:
   •   to sort alphabetically, A–Z.
   •   to sort alphabetically, Z–A.
5. If you want to sort events based on the names of host on which the alerts were generated, click one of the icons to the right of the Host column name:
   •   to sort alphabetically, A–Z.
   •   to sort alphabetically, Z–A.
6. If you want to sort events based on the user names of hosts, click one of the icons on the right of the User name column name:
   •   to sort alphabetically, A–Z.
   •   to sort alphabetically, Z–A.
7. If you want to group events based on the names of hosts or by the event type name, click one of the values in the Group by drop-down list:
   • Group by host name if you want to group events by the names of hosts.
   • Group by event type if you want to group events by the names of event types.

   If events were sorted by the Host or Event type field, the sorting result is cleared when events are grouped by a similar attribute. To return to the sorting results, select the Group by value from the Group by drop-down list.

By default, events in the table are sorted by time, with the newest events at the top of the table.

You can sort events based on one attribute only.

When sorting by event type in a foreign language, events are sorted based on the internal name of the event type in English.

Changing the event search conditions

To change the event search conditions, perform the following actions in the Threat Hunting section of the program web interface window:

1. Click the form containing the event search conditions in the upper part of the window.
2. Select one of the following tabs:
   • Builder, if you want to change the event search conditions in design mode.
   • Source code, if you want to change the event search conditions in source code mode.
3. Make the relevant changes.
4. Click one of the following buttons:
   • Refresh, if you want to refresh the current event search with the new conditions.
   • New search, if you want to perform a new event search.

The table of events that satisfy the search criteria is displayed.

Searching events by processing results in EPP programs

To search events by processing results in

1. Select the Threat Hunting section, Builder tab in the program web interface window.

   This opens the event search form.

2. To search events by processing status:
   1. In the search criteria drop-down lost in the Detect and processing result group, select ThreatStatus.
   2. In the drop-down list of comparison operators, select one of the following options:
      • = (equals)
      • != (does not equal)
   3. In the drop-down list of event processing status, select one of the following options:
      • Object clean.
      • Object disinfected.
      • False positive.
      • Object added by user.
      • Object added to exclusions.
      • Object deleted.
      • Object quarantined.
      • Object not found.
      • Object rolled back.
      • Object cannot be processed.
      • Object not processed.
      • Processing terminated.
      • Unknown.
3. To search events by reasons why they were not processed:
   1. In the search criteria drop-down lost in the Detect and processing result group, select UntreatedReason.
   2. In the drop-down list of comparison operators, select one of the following options:
      • = (equals)
      • != (does not equal)
   3. In the drop-down list of reasons why the events were not processed, select one of the following options:
      • Object already processed.
      • Application is running in Report only mode.
      • Failed to back up object.
      • Failed to copy object.
      • Device not ready.
      • Object blocked.
      • No rights to perform action.
      • Object not curable.
      • Object not overwritable.
      • Object not found.
      • No free space on disk.
      • Processing canceled.
      • Processing postponed.
      • Processing task stopped.
      • Error reading data.
      • Reason unknown.
      • Object is critical system.
      • Data write error.
      • Data write not supported.
      • Object write-protected.
4. If you want to add a new condition, use the AND or OR logical operator and repeat the necessary actions for adding a condition.
5. If you want to add a group of conditions, click the Group button and repeat the actions necessary for adding conditions.
6. If you want to delete a group of conditions, click the Remove group button.
7. If you want to search events that occurred during a specific period, in the Any time drop-down list select one of the following event search periods:
   • Any time, if you want the table to display events found for any period of time.
   • Last hour, if you want the table to display events that were found during the last hour.
   • Last day, if you want the table to display events found during the last day.
   • Custom range, if you want the table to display events found during the period you specify.
8. If you have selected the Custom range display period for found events:
   1. In the calendar that opens, specify the start and end dates of the event display range.
   2. Click Apply.

   The calendar closes.

9. Click Search.

The table of events that satisfy the search criteria is displayed.

Uploading an IOC file and searching for events based on conditions defined in the IOC file

To upload an IOC file and search for events based on conditions defined in that IOC file:

1. Select the Threat Hunting section in the program web interface window.

   This opens the event search form.

2. Click Import.

   This opens the file selection window.

3. Select the IOC file that you want to upload and click the Open button.

   The IOC file will be uploaded.

   On the Source code tab, the form containing event search conditions will display the conditions defined in the uploaded IOC file.

   You can search for events that match these conditions. You can also change the conditions defined in an uploaded IOC file, or add event search conditions in source code mode.

4. If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
   • Any time, if you want the table to display events found for any period of time.
   • Last hour, if you want the table to display events that were found during the last hour.
   • Last day, if you want the table to display events found during the last day.
   • Custom range, if you want the table to display events found during the period you specify.
5. If you have selected the Custom range display period for found events:
   1. In the calendar that opens, specify the start and end dates of the event display range.
   2. Click Apply.

   The calendar closes.

6. Click Search.

An event table is displayed that corresponds to criteria specified in the IOC file.

Creating a TAA (IOA) rule based on event search conditions

To create a TAA (IOA) rule based on event search conditions:

1. Select the Threat Hunting section in the program web interface window.

   This opens the event search form.

2. Perform an event search in design mode or source code mode.
3. Click Save as TAA (IOA) rule.

   This opens the New TAA (IOA) rule window.

4. In the Name field, type the name of the rule.
5. Click Save.

The event search condition will be saved. In the TAA (IOA) rule table in the Custom rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.

If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:

• IOAId.
• IOATag.
• IOATechnique.
• IOATactics.
• IOAImportance.
• IOAConfidence.

At the time of saving the user-defined TAA (IOA) rule, the program might not have any events containing data for these fields. When events with this data turn up, the user-defined TAA (IOA) rule that you have created earlier will be unable to mark events by these fields.

Users with the Security auditor and Security officer roles cannot create TAA (IOA) rules based on event search conditions.