0
(0)

Malwarebytes Endpoint Detection and Response customers can use the Flight Recorder feature. This feature allows you to search event data captured from all of your Malwarebytes Endpoint Detection and Response managed endpoints to investigate and identify indicators of compromise. You can search data like files, registry, processes, and networking activity up to the past 30 days to threat hunt or analyze how a compromise occurred in your environment.

This article explains how to search event data in the Flight Recorder section, and the types of data you can investigate in the search results. To view this section in the Nebula console, click Flight Recorder in the left-side navigation pane.

Search event data with Flight Recorder

The Flight Recorder page has a detailed Flight Recorder Search which includes parameters and operators that can be used to create complex system queries. See parameters below:

  • PC Hostname
  • User Account
  • Process Name
  • Process Path
  • Process ID
  • Command Line
  • Contacted IP Address
  • Contacted Domains
  • Written Files
  • Process MD5
  • Process SHA1
  • Process SHA256
  • Process SHA512
  • IP address or domain. Network Events toggle must be enabled under Policy Settings to search on these data types. To enable this setting, see: Configure Settings options in Malwarebytes Nebula.

Flight Recorder Search operators include:

  • Equals To
  • Not Equals To
  • Contains
  • Not Contains
  • Starts With
  • Ends With

Flight Recorder Search can choose to filter how far back historically to apply the search query. This filter lets you choose the following time ranges:

  • Last 24 hours
  • Last 12 hours
  • Last 6 hours
  • Last hour
  • Last 30 minutes
  • Custom

Investigate information displayed by Flight Recorder

The information shown from a Flight Recorder Search is intended for retrospective analysis, investigation, and how to identify which of your endpoints are affected or related to processes. These results inform your decision making for what is best for your unique business environment. These results display in the Types of Events bar graph, and a corresponding list of endpoints in the Endpoints table.

Types of Events graph

The Types of Events bar graph shows the total occurrences of your search query across the search time frame you specified. The color coded bars show which events types were found in the query. You can hover your cursor over each of the bars to see the total events on your endpoints. These events are broken down into:

  • Process: Shown as purple. ( Oval_Purple.png )
  • Registry: Shown as yellow. ( Oval_Yellow.png )
  • FileSystem: Shown as blue. ( Oval_Blue.png )
  • Network: Shown as orange. ( Oval_Orange.png )

Endpoints table

Below the Types of Events graph is the corresponding Endpoints table. This table lists your endpoints that are related to your search query. Each line item displays the information in different columns. These columns are:

  • Endpoint: The name of the endpoint. Click the filter icon ( 2020-04-16_12-57-29.png ) to search for a specific endpoint from the results list.
  • OS Type: Shows the operating system of the endpoints in the results list.
  • Group: Shows the endpoint’s group.
  • Policy: Shows the endpoint’s policy.
  • First Seen: Shows a time stamp when the event was first detected.
  • Last Seen: Shows a time stamp when the event was last detected.
  • Events: Shows the different types of events found by Flight Recorder. Hover your cursor over the color coded icons to see the number of each event type. Colors correspond with the Types of Events graph.
  • Suspicious Activity: If the endpoint has a suspicious activity detection, you can click the icon ( Suspicious_ActivityP.png ) to go to the Suspicious Activity Details page for more information.

You can check the boxes next to endpoints and select the Isolate Endpoint(s) action from the top-right Actions drop down menu if you think they are a risk to your network. You can also select Remove Isolation from the same drop down. If you want to investigate further, you can click an endpoint to see more details in the Process Information pop-up window.

Process Information

When you click on an endpoint from your Flight Recorder search results, the Process Information pop-up window slides into view. This shows more detailed information of the events detected on the endpoint to inform your decision making. You can perform the Analyze File action for any process or file from this window. This sends the file to our sandbox analysis section for review, for more information see Sandbox Analysis in Malwarebytes Nebula.

The Process Information displays information in the following columns:

  • Process Path: The name and location of the process found by Flight Recorder. Click a process path to view a visual representation of the selected process. Each node is selectable with slide out details, including Raw Event info. This shows details just like the Process Graph for Suspicious Activity Details. For information on the Process Graph, see Suspicious Activity Details in Malwarebytes Endpoint Detection and Response.
  • First Seen: Shows a time stamp when the event was first detected.
  • Last Seen: Shows a time stamp when the event was last detected.
  • PID: The unique number that identifies each running processes on an endpoint.
  • SHA256: The hash value given to a file, if applicable.
  • Virus Total: If the event has a SHA256 value, a Check Now link displays in the Virus Total column. Click this link to open the Virus Total website in a new browser tab. This site displays the process path as if found by 3rd party antivirus vendors. This can help you determine if the event is a false positive. NOTE: Virus total is a 3rd party website not associated with Malwarebytes. For information, see Virus Total’s Terms of Service.
  • Events: Shows the different types of events found by Flight Recorder. Hover your cursor over the color coded icons to see the number of each event type. Colors correspond with the Types of Events graph.

Return to the Malwarebytes Nebula Administrator Guide.

  • Haga clic AQUÍ para ver el manual en español.
  • Clique AQUI para o manual em Portugues.

Source : Official Malwarebytes Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 7 times, 1 visits today)