Trellix Helix(formerly FireEye Helix) is Trellix’s XDR solution. It collects the logs it collects from many sources(endpoints, cloud, email, networ, data) in its own data lake and allows us to perform advanced searches on the data lake fed from these various sources. These searches can deliver the data we want among millions, even billions of events, in a very short time.Helix uses MQL (Mandiant Query Language) language when making these searches.
Let’s do some index searches in Helix’s data lake.
Index Searched Examples
This is where we will do our searches.
Example 0(Attack example)
The reason I say Example 0 is because it is not an introductory example, but rather an interesting attack example to keep our attention warm.
In this example, it is the MQL we wrote to fetch events whose metaclass is http proxy, which has user agent information, and whose user agent is not mozilla, but which fits the regex pattern I gave.
This is not a user agent string, but a Bash Shellshock exploit code snippet that attempts to exploit a vulnerability in the Bash shell, allowing an attacker to execute arbitrary code on the target system.The exploit code defines a Bash function with the name of a Bash environment variable, and then calls that function with the content “/bin/cat /etc/passwd”.
Example 1
MQL query written to fetch all events with “Google” in them.
Trick1: If we type domain:google.com in the search field, it will bring up events with “google.com” in the domain field.
Trick2: If we search for domain=google.com it will only return events equal to “google.com”
Example 2
Negate the result using “NOT” or “!”
Example 3
Let’s write an MQL query that returns events containing infophp.php in the uri information using wildcard(*).
Example 4
I actually wanted it to search among network events by selecting the event type as flow, and then I wanted it to bring me events with more than 20000 packets sent.
Example 6
In this example, we wrote the MQL query that groups the events with the event type http and the http method delete according to their domain names and returns their numbers.
As can be seen in the screenshot, by grouping the domains, we were able to get the information on which domain the http delete operation was performed more.
Example 7
We can also create our own table view according to the column information we want.
Here is the table view we wrote
As a result, we performed easy and various searches on the Helix XDR product of Trellix, using the MQL language on the Data lake, which is fed from multiple sources. The results of these searches return to us very quickly and offer us many visualization options.
Stay tuned for my other articles.
Leave a Reply