Skip to content

Automatic Lookback on Events

CyberQuest exposes functionalities for looking back into events, in order to trace and cross correlate new information with old one. For this particular purpose, CQ DTS exposes the following methods in the

Events class:

getCount (query, days = 0) // returns the number of mathches for a particular query. The query could any querystring. Please refer to the query syntax.
getBackLogs ( query, days = 0, maxcount = 100) // returns the events based on the query, ordered descending by localtime, maxcount of events.

You can call these methods on the DTS section by deploying the following syntax on a DTS associated with a Threat Intelligence Source. In this way, each new IOC is validated against the backlog and (in case found) raises alerts based on that IP:

let query = "SourceIP:192.168.1.1 OR DestinationIP:192.168.0.1";

let numberOfEvents = Events.getCount(query, 30);

if (numberOfEvents > 2) {

    let cqEvents = Events.getBackLogs(query, 30);

    Alert.create({
        emails:"notificaitAddress1@company.com, notificaitAddress2@company.com", // separated by comma
        name:"Alert created by DTS for backEvents",
        secLevel:5, // security level (between 1-10) 
        secScore:10 // security score (between 1-100)
        inputLogs:cqEvents
    });
}