Advanced Query

Advanced Query provides a powerful interface that enables you to query your event data ingested into the Samurai platform. For instance, you can query for matching events which were logged or triggered in the past in order to fully understand the context.

After a threat has been responded to, Advanced Query can also play an important role in the forensic investigation of the threat, in order to determine both its extent and the sequence of events which occurred.

Advanced Query provides a very flexible interface which is based on Microsoft’s Kusto Query Language (KQL). This means that you can perform tasks ranging from simplistic queries all the way through to complex and powerful threat hunts in search of evasive threats.

The Advanced Query interface provides you with a graphical view showing the distribution of query matches over time. This allows you to easily spot deviations from the norm, and to identify the time when important events occurred.

intro_advancedquery.png

Some examples of the functionality provided by Advanced Query include:

  • Ability to use the KQL query language to cover simplistic searches across your data to running complex queries in support of Threat Hunting activities. 
  • Ability to query the Samurai data lake for events over the entirety of your full retention period.
  • Ability to provide a time-based visualization of the results matching your query enabling you to spot deviations from normal activity.
  • Ability to easily filter in/filter out values.
  • Ability to easily drill in and out using a graph of the overview, enabling you to quickly pivot across anything from small result sets, to ones containing millions of data points.
  • Ability to query over a user-defined time period.
  • Ability to easily search/filter the results and export the selected results.

Some example use cases, which can be covered by Advanced Query include:

  • Verifying activity of an endpoint over a specified time period
  • Tracking lateral movement of a threat actor
  • Finding other endpoints which may have been affected by a breach
  • Tracing the sequence of events in a breach
  • Find all activity related to a specific attacker
  • Confirming that new log sources are generating data and verify these are configured correctly.

The Advanced Query user interface is divided into a number of panes which provide:

  • A time-picker allowing the user to easily select a time-period to apply a query. 
  • An interactive KQL query editor.
  • A filters panel, reflecting all the Fields available in the current result. This allows you to quickly filter in/out, search across the filter values and visually see the split between various values. This also allows you to quickly narrow down a query.
  • A Results panel, showing all matching Alert and Event data, both in parsed and raw format. This allows you to easily search and filter cross the viewed result and export results of relevance.
  • A User Tips panel, showing some quick Tips to assist the user in getting started in writing their first KQL queries.

To learn all about the feature within the Samurai MDR portal please review Advanced Query Functionality.