Investigation module is intended to assist an investigational flow through guided, tree-based representation of audit information collected from the IT infrastructure. This module uses native data correlation to visually connect related events. It has the unique ability of being able to connect events which apparently do not relate to each other, meaning they do not share a common connection point like computer name, user name, origin point, destination IP address and are not part of a defined non-compliance pattern based on any of the attributes enumerated above and an event ID.
This functionality has the purpose to create bonds between various events and fields/strings. An investigation is presumed to start from an event that needs to be investigated and following a route step by step to identify useful adjacent information. The event can mark the trail for a user logon, access to a file, an IP address, or a configuration change.
Starting from the initially provided information, investigators can easily discover the events associated with the initial marking point, dynamically correlating the information around fields or strings.
Working with Investigations module
You access Investigations module by pressing button in the top-left section of the CYBERQUEST Web Interface.
Filter Data window
Unlike the modules described in previous chapters, Investigations module first opens a Filter Data window similar to Search and filter sections present in Dashboards or Browser modules. CYBERQUEST uses a different approach for Investigations module because unlike Dashboards or Browser, there is no default information to display and to allow an investigator as much space as possible on display to roll the investigation.
There are several similarities for data filtering options that you can also find in Browser module. Search field provides the ability to filter displayed information by using free text capabilities. If nothing is entered in field box, all events are displayed.
By pressing button you will be able to instruct the interface on how many items are displayed per page.
Default option is 10 items, but you can increase to 50 or 100 items.
You can specify additional filters using Filtering options. By default, nothing is selected. When you access Additional filters drop-down list, you are presented with a large collection of pre-defined filters sorted by technology. You can select one, or multiple filters.
You will also need to select the logical method for combining selected filters in Combining method drop-down list. Available options are AND and OR logical operators. Please note the operator you choose applies to all selected filters.
When finished, press button to apply your selections or to close the window without saving changes. As an option, you can also close the window without saving changes by clicking the mark in top-right corner.
Other options available in Filter Data window:
Send to Investigations option will direct your selection to Investigations module.
Send to dashboards option will direct your selection to Dashboards module. The option opens a new web browser tab to Dashboards interface listing filtered results.
Send to browser option will direct your selection to Browser module. The option opens a new web browser tab to Browser interface listing filtered results.
Send to alerts option will direct your selection to Alerts module. The option opens a new web browser tab to Alerts interface listing filtered results.
Filter Data window includes options for setting the date and time interval for which you need information. This feature is very helpful when you need to have a quick look on compliance over a certain period of time.
The interface allows you to set a specific start date and end date, and also provides you with quick options for date (last hour, last day, last three days, last ten days, last 30 days, last 90 days). By default, the Browser module interface lists all events. Buttons below Start Date and End Date fields allow you to quickly increase or decrease time interval, and specify time reference to be considered (local time, GMT, or event time)
Remember to press button to apply your selections and display Investigations interface. If you click outside the window, or close the window without getting data, the interface will be displayed without any information. The only way to load any events and be able to operate in this mode will be to reload the page or press New Investigation button in Investigations page.
New Investigation page
When pressing Get data button, Filter Data window will close, and a New Investigation page will open. The investigation tree is displayed on page center.
Clicking any event in investigation tree, causes the event information to be displayed in Event details section on the left of the page.
The following actions are possible:
Clicking on any of the event details opens a new Filter Data window pre-populated with the search containing your selection, date and time of the event as start date and end date incremented by one hour from start date. You can change any of the filters here and modify the search if needed, before pressing Get data button.
The investigation tree will expand with a new branch starting from your previously selected event, which contains events that are correlated to previously selected event
From this point you can repeat the process by selecting an event on the new branch and then choosing a detail in refreshed Event details section, that will cause a new Filter data window to open
The process can be repeated indefinitely. It is possible to run an investigation by the parsed information in Description field also, not only standard event fields.
The scale of main investigation tree can be increased or decreased from mouse scroll wheel, and you can move the tree in New Investigation main section as needed in order to properly observe the investigation logic, follow the breadcrumbs and steer your investigation accordingly by selecting other events and filtering data.
Remember that for any branch in tree, the number of events displayed in page is the one set in your original Filter data selection. Therefore, if the number of events is higher than maximum to be displayed, additional data pages are created.
Current data section to the right of New Investigation page allows you to navigate forward and backward in these data pages by pressing Previous Page and Next Page buttons. The values displayed in section's header will change accordingly.
On the right side the system shows statistics about current events so that we can have an overview of the resulted current events. By default, the system graphically displays the events resulted from our query, grouped by Category field in a Pie format.
Using the controls, we can choose other groupings and other formats in which the results are shown.
Logon investigation scenario example
The investigation scenario presumes to find the authentication to resources pertaining to a user in a certain period of time.
Access the Investigation module from CYBERQUEST Web Interface.
Insert the username in the search field. This can be done in one of two ways:
- If we want to treat the username as a string and search for it in all event fields, it is introduced directly
- If we want to filter exactly on the username field, we have to use the specific notation:
The inserted text is interpreted and is supported by the complex syntax.
Valid examples for the search:
- Simple search:
- Simple exact search:
- Complex search (space is interpreted as logic operator 'OR'):
- Complex search with field:
(UserName:"test. User2") AND (IP:"192.168.190.5")
- Complex search with OR and AND:
((UserName:"test. User2") OR (UserName:"test. User1")) AND (IP:"192.168.190.5")
Select the timeframe we are searching for by choosing the start/end time. To change the time interval, additional buttons can be used: these automatically add/subtract days/hours/minutes from the current day/hour.
Click the Get data button. The system will show the requested results or a message that "No result has been found". The results are displayed as a tree.
Select an event (a dot) in the left side of the screen all the fields pertaining to that specific event are shown. All these fields are either standard fields from the Windows environment, or fields specific to other types of events. The Description field can be minimized/maximized to show additional information for that event by pressing the More button.