tapuserguide - fireeye › content › dam › fireeye-www › ... · filters 7 directives 8...

TAP User Guide

FireEye, Inc.

Next Generation Threat Protection

1440McCarthy Blvd., Milpitas, CA 95035

www.FireEye.com

© 2014 FireEye, Inc. All rights reserved.

FireEye is a registered trademark of FireEye, Inc. All other brands, products, or servicenames are or may be trademarks or service marks of their respective owners.

Document version: v1.0A

ContentsContents iTAP Overview iiiEvents iiiIntelligence ivTAP Architecture vDashboard vi

Search viiRun a Search viiQuick Mode viiDate Range vii

History viiiFavorites viiiLists viiiCreate, Update, Export Lists viiiImport Lists ix

Search Results ixPivoting ix

MQL Syntax 1Search Clauses 1Quotes 1Numbers 2Date and Time 2Set Notation 3Boolean Operators 3Comparison Operators 4Parenthetical Expressions 4Prefix Search 4Subsearch and Variable Expansion 5Subsearch 5Subearch with Variable Expansion 5Variable Expansion 6

Regular Expressions 6

FireEye, Inc. i TAP User Guide

Filters 7Directives 8Transforms 8Groupby 8Histogram 9

Taxonomy 9Meta-Classes and Classes 10Fields 10Aliases 11IP, SRCIP, DSTIP 11Host 12ID 13MAC 14Port 14Interface 15Hash 15

Intel Hit Searches 15Rules 17Rule Packs 17View Rules 18Enable and Disable Rules 18Create User-Defined Rules 18Update User-Defined Rules 19Delete Rules 19Import and Export Rules 19

Alerts 20Suppress Alerts 20Add Alerts to Incidents 20

Incidents 21Create New Incident 21Add Events to Existing Incident 22Assign Incident and Investigate 22View Alert Details 22

FireEye, Inc. ii TAP User Guide

TAP OverviewThe FireEyeThreat Analytics Platform (TAP) is a security incident detection and res-olution tracking platform that identifies cyber threats and improves response by layeringenterprise-generated event data with real-time threat intelligence from FireEye.

TAP Overview

TAP is a cloud-based application that:l Collects and indexes database, security, network, and endpoint events from yourenvironment

l Compares indicators in your events in real-time against FireEye intelligence andgenerates alerts on hits

l Applies both FireEye-defined rules and rules that you define to event data to gen-erate alerts

l Provides an incident workflow for tracking both events associated with alerts andany events that you deem suspicious from investigation to remediation

l Makes events available for efficient searching and pivotingl Provides visualizations of trending activity

EventsAn event is any observable occurrence. Logging is the process of recording events toprovide an audit trail that can be used to understand the activity of a system. In the con-text of TAP, event refers to a specific log entry.

FireEye, Inc. iii TAP User Guide

Each event found within log data in TAP is assigned a uniqueID as it enters the TAPapplication in the Comm Broker Sender within your environment.Log data from each device is run through a parser if one is available. Parsers separatethe data in events into fields and label though fields according to the taxonomy. The tax-onomy names and defines types of data that appear in events.After being parsed, each event then has two parts: parsed fields and the raw message.Parsed fields have the following advantages:

l Can be searched using MQL syntaxl Have pivoting capability when the event appears in search resultsl Provide more accurate data for matching against intelligence indicators

If an event is not parsed, the raw message is still indexed and can be searched as astring. TAP still attempts to match the raw message against intelligence indicators butmore false positive hits may result.When an event matches intelligence, TAP generates a synthetic event for that intel hit.Having a synthetic event allows you to search more effectively for intel hits.

IntelligenceTAP applies FireEye Intelligence to events once in real-time as they are received. TAPchecks parsed fields in events and unparsed, raw messages for fully qualified domains(FQDNs) and IPs that we believe are indicators of a compromise. When a match isfound, TAP generates an intel hit (along with a synthetic event) and an alert. Intel hitsbased on matches of just raw data in an event are more likely to be false positive hitsthan matches on parsed fields. Intelligence indicators are updated hourly.FireEye intelligence is gained from our extensive incident response work as well asresearch by our experts and includes these two types:

l Commodity. Commodity intel is generated from analysis of over 1 million malwaresamples per day. By denoting these samples and analyzing them, we generate10,000 indicators per day. Our expert intel team reviews matches from customerenvironments to these indicators to help ensure that only valid intel hits are sent toyour TAP instance.

l Curated. Curated intel is generated from FireEye research; we closely track threatfamilies and Advanced Persistent Threats (APT) groups. From this research, wecompile malicious indicators and TAP looks for those indicators in your events.This type of intel generally generates fewer hits but the hits that occur indicate highrisk compromises. When TAP is configured for your environment, the TAP oper-ations team notes your external IPs. If FireEye finds any of these IPs sending datato a known sinkhole (i.e., a known evil command and control server), TAP alertsyou.

FireEye, Inc. iv TAP User Guide

TAP ArchitectureYour TAP instance resides in two environments: your environment and a Virtual PrivateCloud (VPC) within Amazon World Servies (AWS). Within your environment is one ormore Communication Broker Senders that send log data to a Communications BrokerReceiver within TAP in the VPC. The Comm Broker Receiver and all otherTAP components within the VPC are managed by the TAP Operations Team.

TAP High-Level Architecture

The data flow is as follows:l The Comm Broker sender listens receives log data in your environment and sendsit to the Comm Broker Receiver in the VPC. For security purposes, all data intransit, including all metadata, is encrypted with Twofish with a 256-bit key. Whendata is transmitted over the WAN to the Communication Broker Receiver, it isdouble-encrypted with two layers of Twofish and 512 bits of key total. The Com-munication Broker Sender/Receiver combination never stores any customer datain clear text.

l Log data is parsed according to the TAP taxonomy and then indexed to make itavailable for fast searches and pivoting. Log data that cannot be parsed is stillindexed as raw messages.

l Both FireEye-defined and customer defined rules are applied to the events andalerts generated if applicable.

l FireEye intelligence is also applied to all events in real-time and alerts generatedfor any hits.

FireEye, Inc. v TAP User Guide

DashboardThe TAP application is designed to be viewed in Chrome.The default page for the TAP application is the Dashboard page.The Dashboard page is designed to provide a broad overview of the current status ofevents, alerts, and incidents in TAP.If there is a current alert, a banner appears at the top of the Dashboard page to provideimmediate pertinent information related to that alert and options for taking action with thealert.Depending on the data available in TAP, the Dashboard page shows:

l Active alerts and a graphic showing the number of alerts per source (FireEye-defined rules, user-defined rules, or intel hits)

l Open incidents, including the total number as well as the average time to closel Metrics about events such as the total number of events in the TAP index and thedaily high and low number of events.

FireEye, Inc. vi TAP User Guide

SearchTAP Search capability allows you to search events as both a starting point to find apotential compromise and to locate specific events associated with alerts. TAP cansearch billions of events in seconds.Events are available for searching for 4, 8, or 12 months depending on how your TAPinstance was configured when it was deployed.The TAP search depends on the event as follows:

l For raw events, TAP is able to search for matching strings.l For parsed events that are normalized according to the TAP taxonomy, TAP isable to search for common data all across all events from a variety of log sources.

Run a SearchSearch capability is provided in TAP by entering a query written using Mandiant QueryLanguage (MQL) and selecting a date range option and selecting Quick Mode if desired.TAP uses MQL as the syntax for constructing queries to search events. The completeMQL syntax is supported in the Search box the top of every TAP page.Once you have run one query, you use the pivot functionality to refine that query or cre-ate a new query.

Quick ModeQuick Mode provides fast but partial search results when you run a query. To use QuickMode, check the Quick Mode option on the Search bar.Quick Mode limits the number of results that TAP returns. The results returned are basedon events found but do not represent all the events that match the query (i.e., the count isnot accurate). Using Quick Mode, you can test whether a query will return results and ifthose results are what you expected. This is particularly useful when building complexqueries.

Date RangeYou can limit the query to a specific time period, by selecting one of the followingoptions:

l Past hourl Past 12 hoursl Past 24 hoursl Past 7 daysl Last 30 days

FireEye, Inc. vii TAP User Guide

l Past 90 daysl Custom range with a start and end date

To select a date, click the calendar icon in the Search bar.The date that TAP uses to evaluate the query (and as the default order in search results)is the date and time that the event arrived into TAP. When the Comm Broker Senderreceives log data from your environment, it adds the current time as a timestamp to theevent. This timestamp, includes the date and time down to the millisecond.

HistoryTAP saves all the search queries run. This History is available on the Search page.To run a previous query, select it from the History menu or the Latest History box on theSearch page.To clear the history, click Clear in the Latest History box on the Search page or selectClear History from the History menu on the Search page.

FavoritesA Favorite is a search query that you would like to save to run again. To add a query toFavorites, run the query in the Search bar then click Favorite.To run a Favorite query, select it from the Favorites menu or the Top Favorites box onthe Search page.To delete a Favorite from the list, click the X icon next to the query on the Favoritesmenu or select Edit in the Top Favorites box.

ListsLists allow you to conduct searches for multiple items at one time (e.g., shared indic-ators, executive machine IPs).If you have many fields that you would like to include in one or more queries, you can cre-ate a list and use the list name in the query. The list name serves as a variable in theMQL syntax.

Create, Update, Export ListsTo create a new List, click Create New List on the Lists menu on the Search page. Toedit an existing List, select the list name on the Lists menu on the Search page.On the Lists page, enter or update the following:

l List namel List descriptionl IPs and domains on separate lines in the Search for box.

The limit is 100K per list.

FireEye, Inc. viii TAP User Guide

To export the list, click Export.

Import ListsIf you have existing lists of domain and IPs stored in .json format, you can upload thoselists for use in TAP. To import list, select Import List from the Lists menu on the Searchpage. On the Import List window, select the file to import. Only .json is supported.

Search ResultsThe results for the query appear on the Search page as a list of events. Each eventincludes both the raw event data and the parsed fields, if applicable. Parsed fields havepivoting options.You can also visualize data results on a timeline. Click Timeline at the top of the searchresults.If you think results are missing, be sure that the search query was not run with QuickMode selected. After selecting events, you can add them to an incident.After finding results, TAP has the following options to help you use the results more effi-ciently:

l Highlight. To see the fields that matched the search query, click Highlight.l Geo. TAP uses data from the srcipv4 and dstipv4 fields in events to determine geo-graphical IP. To display the geographical information for an event, such as the des-tination country, destination IP, or destination domain, click Geo.

l Meta. To see the meta-classes in the events, click Meta.l Sort. By default, the events in the results are sorted by the newest first. You canreverse the order by selecting Oldest for the Sort option. The date that TAP usesis the date and time that the event arrived into TAP (which is also used in thequery).

l Show and Select. By default, the search results list shows all the results. To viewonly specific events, select those events and choose Selected for the Showoption. The Visible and None options for Select work also change the events dis-played.

l View. You can opt to see all the results which may include both raw events andparsed events or you can opt to show just one or the other. Select an option forView.

PivotingPivoting through data is how you add context to an event to determine what to do next.After completing a search, you may find data of interest in a parsed field in an event inthe results and want to refine your search or run a new search for the same data in otherevents.

FireEye, Inc. ix TAP User Guide

When events appear in the search results, the parsed fields provide the following pivot-ing and drill-down options by clicking the down arrow next to the field in the event in theresults on the Search page:

l New search. To search for the same field and data in other events, select Newsearch. A new query appears in the Search bar, which you can either run as is ormodify.

l Add to current search. To add another field and data to the current query in theSearch bar, click Add to current search.

l Exclude from search. To add a field and data to the current query as a “not” state-ment, click Exclude from search.

l Groupby field. To use a field and its data in a groupby clause in the current query,click Groupby field.

l Copy to clipboard. To copy the field and its data to the clipboard for use inanother application or for your notes, click Copy to clipboard.

FireEye, Inc. x TAP User Guide

MQL SyntaxTAP employs Mandiant Query Language (MQL) for constructing queries. MQL is a dataanalysis language that is used to retrieve events for further analysis in TAP.MQL supports three types of clauses in the search query:

l Search, which includes:l Quotesl Numbersl Date and timel Set notationl Boolean operatorsl Comparison operatorsl Parenthetical expressionsl Prefix searchl Regular expressionsl Variable expansionl Subsearchl Filters

l Directivesl Transforms, which include:

l Groupbyl Histograms

MQL supports an unlimited nesting of queries; however performance may slow depend-ing on result set.The fields available to include queries are based on the taxonomy. Those fields includeclasses and also alias options.All fields and values are lowercase.

Search ClausesA search clause specifies the data to be located based on exact matches, comparisons,ranges, and expressions.

QuotesUse “ “(double quotes) or ‘ ‘ (single quotes) to search for the following:

l A space or an exact string that includes a space, usel Keywords such as “and” or “or”, use

FireEye, Inc. 1 TAP User Guide

To search for quotes, use the escape. For double quotes escape using the following:l \“

For single quote escape using the following:l \’

NumbersMQL syntax supports the following for numbers:

l Negative “-“ and positive “+” signsl Exponent as ‘e’ or ‘E’l Fraction as ‘.’ digitl Fraction exponent as ‘fracexp’

Date and TimeTo limit events return by the search to a specific range, MQL supports the keywords“start” and “end”. Time specified in the MQL syntax takes precedence over time specifiedin the Search bar in TAP.MQL supports dates as follows:

l Calendar date with the date: “yyyymmdd”l Calendar date with just the year and monthy: “yyyymm”l Calendar date with the week: “yyyyww” or “yyyy-ww”l Calendar date with the week and day: “yyyywwd”l Ordinal date: “yyyy ordinalday”

Where:l yyyy is the year in 4-digit number formatl mm is the month in 2-digit number formatl dd is the date in 2-digit number formatl ww is the week in 2-digit number format ranging between 1 and 52 starting the firstweek of January

l d is the weekday in 1-digit number format ranging between 1 and 7 starting withMonday

l ordinalday is the day in 3-digit number format ranging between 1 and 366 startingon January 1

MQL support time as follows:l Hours, minutes, and seconds: “hhmmss”l Hours and minutes: “hhmm” or “hh:mm”

Where:l hh is the hour in 2-digit formatl mm is the minute in 2-digit format


l ss is the second in 2-digit formatMQL syntax also supports relative time such as:

l yesterdayl todayl last with hour, day, week, month, or yearl X hours, days, weeks, months, or years ago where X is a number

The time that MQL uses when evaluating queries with “start” and “end” is the time thatthe event arrived into TAP.When the Comm Broker Sender receives log data from your environment, it adds the cur-rent time as a timestamp to the event. This timestamp, includes the date and time downto the millisecond, is the time field used to evaluate the start and end keywords and isalso the default order that search results are displayed on the Search page.To evaluate the query using time values located in another field, you must specify thatfield.

Set NotationMQL syntax supports lists of comma separated values by placing the list betweensquare brackets “[]”.For example:scrip:[192.68.1.1,192.68.1.2]

BooleanOperatorsBoolean operators include “and” and “or” and “not”.By default, a space between query terms is the equivalent is considered an implicit “and”and the search will be inclusive of all terms specified.The order of precedence for “and” and “or” is:

l Explicit “and” (i.e., and is entered) is higher than “or”l Implicit “and” (i.e., no “and” entered by just a space between terms) is lower than“or”

The valid symbols for “and” are:l andl &&

The valid symbols for “or” are:l orl || (double bars)

For example:http and tcp or ftp : (http and tcp) or ftphttp tcp or ftp : http and (tcp or ftp)


The operator “not” binds to what is immediately after it. For example:not ftpThe valid symbols for “not” are

l NOTl Notl ! (exclamation point) (with no space afterwards)

ComparisonOperatorsTo find data in a specific field, use the equal operator which is one of the following:

l = (equal sign)l : (colon)

Neither have spaces around them. The value specified after the operator must be validfor the field type.For example:scrip:192.168.1.1scrip=192.168.1.1

In addition to equals, the following other operator values supported are:l >l <l =<l >=

There are no spaces around the operators.Operator values are the tightest binding.For example:recvdpackets>20! recvdpackets<=20

Parenthetical ExpressionsParenthesis can be used to group terms for precedence. Parenthesis are also used todesignate subsearches.For example:tcp and (http or ftp)not (http and tcp or not ftp)

Prefix SearchParenthesis can be used to group terms for precedence. Parenthesis are also used todesignate subsearches.


For example:tcp and (http or ftp)not (http and tcp or not ftp)

Subsearch andVariable ExpansionSubsearch allows you to specify a query to run then use the results from that query inanother query. Subsearch can be run by itself or with variable expansion. Variableexpansion can also be run independently of subsearch.

Subsearch

Subsearch is supported using a parenthetical expression.For example:srcip:(rawmsg:Trojan) and hostname:important_machine

In this example query, the search engine will first locate “Trojan” in all raw messagesand return all the source IPs of those events. It will then search for events with one ofthose source IPs and the hostname “important_machine” and return those events.In this example if the subsearch (rawmsg:Trojan) would find 2 unique srcip addresses(172.15.1.10 & 175.15.1.20) then the full searches performed will be:srcip:172.15.1.10 and hostname:important_machine ORsrcip:175.15.1.20 and hostname:important_machine

You can also compare different variables to each other with the “in” operator to specifythe field in the subsearch to be used in the comparison.For example:IOC dsthost:(srchost in fireeye eventlog:/.*back.*/)

For this query, search first resolves the subsearch expression and returns the uniquesrchosts which it then uses to search the dsthost as search terms in the main query. Thiscan be useful when the direction of the event is different (as with some of the events fromother FireEye products) or when trying to look for callback activity from the original infec-tion source.

Subearchwith Variable Expansion

You can also use subsearch in combination with variable expansion. Variable expan-sion allows you to specify a list of pre-populated values and then use the results fromthat query in another query.For example:IOC (dsthost:$exec_pc)


For this query, search first resolves the subsearch expression by doing a search for allthe dsthosts that match the list $exec_pc and returns the result to add them as searchterms in the main query.In this example if the exec_pc list contains the hostnames execcto and execcfo, the fol-lowing search would be executed:IOC dsthost:execcto OR IOC dsthost:execcfo

Variable Expansion

You can also use variable expansion outside of subsearches. The syntax is:field_name:$keywordFor example:dsthost:$exec_pc

In this example you would be executing the following search:dsthost:execcto OR dsthost:execcfo

Which is the same as:dsthost:[execcto,execcfo]

Regular ExpressionsThe MQL syntax supports regular expressions.MQL regular expression patterns are always anchored (i.e., you do not need to spe-cifically indicate whether the regex pattern starts at the beginning or end of the string).The pattern provided must match the entire string. The exception is the use of an asterisk(*) in a prefix search.For example, to match a user-agent field of “Mozilla/5.0”, the regular expression must be“User-agent=.*5\.0.*”; it will not match on “User-agent=5.0” or “User-agent=5\.0”.Any characters may be used, but certain characters are reserved and must be escaped.The reserved characters are:. ? + * | { } [ ] ( ) " \The character * is also used for prefix searches.Any reserved character (including a backslash) can be escaped with a backslash (forexample, "\*").Any characters (except double quotes) are interpreted literally when surrounded bydouble quotes.A period “.” can be used to represent any character.The plus sign "+" can be used to repeat the preceding shortest pattern once or moretimes.The asterisk "*" can be used to match the preceding shortest pattern zero-or-more times.


The question mark "?" makes the preceding shortest pattern optional. It matches zero orone times.Curly brackets "{}" can be used to specify a minimum and (optionally) a maximum num-ber of times the preceding shortest pattern can repeat. The allowed forms are:

l {5} # repeat exactly 5 timesl {2,5} # repeat at least twice and at most 5 timesl {2,} # repeat at least twice

Parentheses "()" can be used to form sub-patterns.The pipe symbol "|" acts as an OR operator. The match will succeed if the pattern oneither the left-hand side OR the right-hand side matches. The alternation applies to thelongest pattern, not the shortest.Ranges of potential characters may be represented as character classes by enclosingthem in square brackets "[]". A leading ^ negates the character class. The allowed formsare:

l [abc] # 'a' or 'b' or 'c'l [a-c] # 'a' or 'b' or 'c'l [-abc] # '-' or 'a' or 'b' or 'c'l [abc\-] # '-' or 'a' or 'b' or 'c'l [^a-c] # any character except 'a' or 'b' or 'c'l [^a-c] # any character except 'a' or 'b' or 'c'l [-abc] # '-' or 'a' or 'b' or 'c'l [abc\-] # '-' or 'a' or 'b' or 'c'

Note that the dash "-" indicates a range of characters, unless it is the first character or if itis escaped with a backslash.

FiltersMQL supports filtering on data that exists in a given field and data that is missing from agiven field.Including the keyword “has” in a search query followed by a field name filters out eventswhich do not have that field.For example:has:dstcity

Including the keyword “missing” in a search query followed by a field name filters outevents which have that field.For example:missing:dstcity


DirectivesDirectives are modifiers that instruct the search engine how to query. Directives include:

l Limit. Limit indicates the number of results to return. A limit of zero (which is thedefault) means that all results are returned. Note: The default value for limit is tenwhen in quick mode.

l Offset.Offset indicates how far into a result set to go before returning resultsl Cutoff. Cutoff tells the search engine to stop searching after finding the indicatednumber of records. The results will not be as accurate but will be returned faster.

l Start. Start represents the earliest timestamp to return.l End. End represents the latest timestamp to return.l Sort. Sort indicates the field on which to order the events returned. Multiple fieldscan be indicated with a comma (,). Sort has two options to indicate direction of thesort: ascending (designated by “[asc]”) or descending (designated by “[desc]”)

For example:start:yesterday end:today limit:10 offset:10 sort:timestamp[desc],bytes_in[asc] cutoff:10

TransformsA transform allows you to pass the results of a query through a function, which will add,remove, or modify your search results.Transforms are separated in a query by “|”. Queries can include multiple transforms.Transforms include:

l Groupbyl Histogram

GroupbyGroupby returns the unique values for a given field and the count of the distinct values.The events returned by the search when you use a groupby are representative eventswhich are grouped. The syntax for groupby is:<search> | groupby field_name [integer]

Field_name is any string comprised of letters and numbers and special characters.A positive integer searches for the most frequent occurrences. A negative integersearches for the least frequent occurrences. You can specify a second integer to des-ignate a minimum count threshold. The integer argument is optional.For example:rawmsg:dyn* | groupby srcipv4 10 1000

Returns the top ten srcipv4s which have at least 1000 occurrences.


tcp | groupby dstport 10 1000

Returns the 10 most frequent ports which also have counts greater than 1000rawmsg:dyn* | groupby srcipv4 -10

Returns the top 10 scripv4s with the least number number of occurrencestcp | groupby dstport 110 1000

Returns the 10 least frequent ports which also have counts greater than 1000

HistogramTo return the search results as a histogram (i.e., a graphical representation of the dis-tribution of data), use the histogram transform.There are two types of histograms:

l Date histograml Field value histogram

Date histogram has the following syntax: <search> | histogram eventtime interval]Where interval is one of the following:

l ‘1d’l ‘1h’l ‘1w’l ‘day’l ‘hour’l ‘minute’l ‘month’l ‘quarter’l ‘week’l ‘year’l ‘datetime’

Field histogram has the following syntax: <search> | histogram keyword integerFor example:tcp | groupby class | histogram bytes_in 500

TaxonomyBecause log data within an environment varies widely, TAP imposes a high-level stand-ardized view of events and normalizes the data. This allows you to craft queries and tointeract with the data in a more predictable, standardized way, such as searching andcreating rules.


Log data from each device is run through a parser if one is available. Parsers separatethe data in events into fields and label though fields according to the taxonomy. The tax-onomy names and defines types of data that appear in events.The TAP taxonomy serves as the “dictionary” for the TAP parsers that normalize theevent data. TAP parses event data so that it is more easily compared and available touse as a pivot in searches.

Meta-Classes andClassesClasses in the TAP taxonomy represent types of events or log sources. For example, asynthetic event created by an intel hit has the class “Intel_hit”.A meta-class is simply a generic class name that refers to events from one or moreactual classes in TAP. Having meta-classes, allows you to refer to specific types ofevents without knowing in which class they actually exist.For example, if you have both Bluecoat HTTP proxies and a Palo Alto firewall withHTTP inspection enabled, your event data may have classes called “bluecoat” and“palo_alto_http”. Both contain similar data (i.e., logs of their own users browsing web-sites on the Internet). You can search either or both of these classes directly, but thenyou must remember to use a query like “class=bluecoat OR class=palo_alto_http”, whichis more complicated and therefore they are more likely to make mistakes.Instead you can use the meta-class called http_proxy, which can reference records fromboth classes. In other words, the search “class=http_proxy” is the equivalent of “class-s=bluecoat OR class=palo_alto_http”, but is easier to remember and type.

FieldsField names in MQL queries consist of a string of letters and numbers. Each distinct fieldis the string up to a white space or a string within quotes “”. Field names are determinedby the taxonomy. They are not case sensitive and can be either lowercase or uppercase.Fields containing strings that have not been normalized (i.e., parsed using a TAP parseragainst the taxonomy) will match only on the entire contents of the field. All parsed fields(i.e., fields designated by a TAP parser against the taxonomy) will match on partial val-ues.All events in TAP (whether part of a class or meta-class) have the following fields:

l rawmsgl rawmsgidl rawmsghostip or rawmsghostipv6l rawmsgtimeutcl classl classid

If the field does not apply to that event, that field is still present, but has no value. Pleaserefer to the Master MAP Taxonomy v2.xlsx for a description of what these fields mean.


AliasesMQL Syntax recognizes aliases for field names. The alias searches for all fields that aredesignated as corresponding to that alias. Using an alias allows you to search for mul-tiple fields at the same time without knowing the exact field name of each field. An aliaswill match on any field which it represents.Caution: We recommend using aliases sparingly. While this type of query may be useful,it is a time intensive query to run because the search must look for every field that thealias represents.Note: If you want to search for specific multiple field name, use a list instead.Aliases include:

l IP, SRCIP, and DSTIPl Hostl IDl MACl Portl Interfacel Hash

For example:hash=[hash or MD5 or SHA1 or SHA256 or SHA512]

IP, SRCIP, DSTIP

The alias ‘ip’ references fields which contain IP addresses such as:l rawmsghostipv4 (IPv4 address of the host sending the raw message)l rawmsghostipv6 (IPv6 address of the host sending the raw message)l ip (general purpose field for representing an IPv4 address that is only used whensource or destination is either unclear or unknown)

l srcipv4 (IPv4 address of the source)l srcipv6 (IPv6 address of the source)l dstipv4 (IPv4 address of the destination)l dstipv6 (IPv6 address of the destination)l cidr (Classless Inter-Domain Routing (CIDR) notation)l transsrcip (Translated IPv4 address of the source)l transsdstip (Translated IPv4 address of the destination)l defgw (Default gateway typically referenced in network events)l ipmask (IP network mask)l intnatip (Internal NAT IP address used in NAT logs)l extnatip (External NAT IP address used in NAT logs)


l xfwdforip (X-forwarded-for header value, comman+ space delimited if more thanone)

l callingsrcip (Source IP of a remote calling identity, typically observed in Windowsevent logs as calling address)

l targetip (Typically observed in host IDS/IPS, AV, and other logs when referencinga targeted system or user

For example:ip=215.18.25.33ip:215.18.25.0/24

Like IP, the alias ‘srcip’ references keywords that have directional orientation as being asource IP value of some sort such as:

l rawmsghostipv4 (IPv4 address of the host sending the raw message)l rawmsghostipv6 (IPv6 address of the host sending the raw message)l srcipv4 (IPv4 address of the source)l srcipv6 (IPv6 address of the source)l transsrcip (Translated IPv4 address of the source)

For example:srcip:25.18.25.33

Like IP, the alias ‘dstip’ references keywords that have directional orientation as being adestination IP value of some sort such as:

l dstipv4 (IPv4 address of the destination)l dstipv6 (IPv6 address of the destination)l transsdstip (Translated IPv4 address of the destination)

For example:dstip=215.18.25.33

Host

The ‘host’ alias references all keywords for a hostname. You can search for the com-plete hostname or portion of a fully qualified hostname. HOST references such fields as:

l rawmsghostname (Hostname, when available, of the host sending the raw mes-sage. In some cases, this may be a log relay or forwarder.)

l targethost (Typically observed in IDS/IPS, AV, and other logs when referencing atargeted system or user)

l hostname (Hostname which is used whenever the source or destination is unclearor unknown)

l srchost (Hostname of the source machine when direction is known and/or relevantwhich typically resolve to srcip or srcipv6)


l desthost (Hostname of the destination machine when direction is known and/or rel-evant which typically resolve to dstip or desipv6)

l server (Hostname for when srchost or dsthost do not apply such as a central man-agement server, proxy, router serving a nondirectional role)

l node (Hostname for specific references to a node that is typically a sensor node)l agent (Name of an agent)l sensor (Name of a sensor)l workstation (Name of workstation which is used only when hostname is alreadyused and workstation is explicitly declared)

For example:host=corp-12345host:subdomainhost=mycompany.comhost:copr-12345.subdomain.mycompany.com

ID

The ‘id’ alias is a generic term for referencing all keywords that contain some type of ID.ID references such keywords as:

l classid (Class ID for event collection)l eventid (Specific event identifier )l protoid (Numerical representation of a protocol (6=TCP, 17=UDP, 47=GRE, etc.) )l connectionid (Specific connection identifier)l transactionid (Specific transaction identifier)l sessionid (Specific session identifier)l deviceid (Specific device identifier)l agentid (Specific agent identifier )l accountid (Specific account identifier)l uid (Used when a given user (i.e. joesample) also has a unique user ID or GUID(i.e., 9473))

l gid (Specific group identifier)l policyid (Specific policy identifier)l portid (Specific port id or terminal port id )l pid (Specific process ID, typically used for application PIDs)l ppid (Specific parent process ID, typically used for application PPIDs)l ruleid (Rule or Signature ID containing a unique ID for a given rule or signature)l referenceid (Specific reference ID relating 2 or more things together)l requestid (Specific request ID, specifying the identifier of a given request)l callid (Specific call identifier)l handleid (Specific handle identifier, referring to process handle IDs)


l operationid (Specific operation identifier)l callinguid (User ID of a remote calling identity, typically observed in windows eventlogs as calling id

l cveid (Common Vulnerabilities and Exposures identifier, can be referenced byeither reference number or year)

l processid (Specific process identifier)l creatorprocessid (Specific creator process identifier)l threadid (Specific thread identifier)l stationid (Specific station identifier)l fileid (Specific file identifier)l parentfileid (Specific parent file identifier. In Bro logs, this is the identifier asso-ciated with a container file from which the child (fileid) was extracted as part of thefile analysis)

l sentfileid (Sent File identifier, found in Bro http logs as the orig_fuids value, indic-ates the file identifier of a file pertaining to an originator)

l rcvdfileid. (Received File identifier, found in Bro http logs as the resp_fuids value,indicates the file identifier of a file pertaining to a receiver)

l lastalertid (In Bro ssl logs, the last_alert field is the last alert that was seen duringthe connection)

For example:id:5649

MAC

The ‘mac’ alias allows you to search for MAC regardless of hex value delimiter formatand include such keywords as:

l mac (General purpose field for MAC address, used whenever)l macoui (Organizationally Unique Identifier of a MAC address)l srcmac (MAC address of the source when direction is known)l dstmac (MAC address of the destination when direction is known)

You can search by the OUI portion of the MAC address also.For example:mac=01:23:45:67:89:abmac:01-23-45

Port

The ‘port’ alias references keywords that contain a network port value such as:l srcport (Source port number)l dstport (Destination port number)


l transsrcport (Translated source port number)l transdstport (Translated destination port number)

For example:port=80

Interface

The ‘interface’ alias references keywords that contain a network interface value such as:l interface (Logical or physical network interface used for communications (eth0,eth1, etc) when orientation is unknown)

l localinterface (Local interface identifier, typcially network or firewall events spe-cifying interface orientation)

l loreigninterface (Foreign interface identifier, typically network or firewall events spe-cifying interface orientation)

For example:(interface=eth0 or interface=eth1) and ip=22.33.44.55

Hash

The ‘hash’ alias references keywords that contain a cryptographic hash value and canbe used in cases where you have not memorized or do not know the specific cyrp-tographic hash algorithm used to generate the hash such as:

l hash (General purpose field for storing any type of message digest hash value)l MD5 (computed MD5 hash of an object)l SHA1 (computed SHA1 hash of an object)l SHA256 (computed SHA256 has of an object)l SHA512 (computed SHA512 has of an object)

For example:hash=24a938a1fcc5df0a7e78267aac0a41ca

Intel Hit SearchesEach intel hit creates a synthetic event with the class of “intel_hit”. To find all events thatare intel hits, run the query class=intel_hit and select specific dates in the Searchbox.To further refine the intel_hits that the search returns:

l Type. To see the number of hits that are based on commodity and curated intel-ligence, use the query class=intel_hit | groupby type.

l Intelscore. To see the number of intel hits with an intelligence score (i.e., low,medium, high, or critical) use the query class=intel_hit | groupbyintelscore


l Malware family. To show how many intel hits are from a specific intel malware fam-ily, use the query class=intel_hit | groupby intelmalwarefamily(replacing intelmalwarefamily with the family name)


RulesA TAP rule is a search query that is run automatically to locate matches (aka “hits”).When matches are found, the rule generates an alert based on the rule’s frequency anddistinguishers.Threshold and time window options work together to determine the frequency with whichthe rule generates an alert. The threshold is the number of times that an rule must hitwithin the time window specified for an alert to be generated. For example, if the rule gen-erates five hits (i.e., it matches five different events) within one hour then an alert is gen-erated.A distinguisher is a field in an event that a rule uses to differentiate hits for the purpose ofcreating alerts. The distinguisher is typically a hostname or IP address but can be anyfield.In the case where there are multiple events referring to the same type of activity, youmight want to have a single alert instead of multiple alerts. For example, you have a rulethat detects RAR files being transferred over the network. You do not want an alert foreach time a RAR file is transferred from the same host. By adding “scrip” (source IP) tothe rule, then only one alert is generated for each host sending RAR files.You can also have a single rule generates multiple alerts based on its distinguishers.For example, a rule has two distinguishers: source IP and destination IP. For every com-bination of srcIP and dstIP found to match the rule criteria, TAP will create an alert.Each rule is assigned a unique ID for tracking.To be effective, some rules require events from specific types of log sources and theevents must be parsed.There are two types of rules:

l FireEye-defined rules. FireEye experts create rules within rule packs to attempt todetect a wide range of malicious activities.

l Customer-defined rules. You can use custom-defined rules to detect events spe-cific to your environment and organizational needs and generate alerts based onthose rules.

Rule PacksRules are grouped together into Rule Packs. Rule Packs serve as containers for groupsof rules. FireEye-defined rules are assigned to FireEye rules packs. Any rules that youdefine can only be assigned to rule packs that you define.To create a rule pack, select Rule Packs at the top of the Rules page then click CreateNew Rule Pack. On the Create New Rule Pack window, enter a name for the rule pack.


Once you have created a rule pack, you can assign a rule to it when the rule is createdor by updating the rule.

View RulesTo view the details for a rule as well as its revision history, select View/Edit from theaction menu when the rule is selected on the Rules page.

Enable and Disable RulesIndividual rules as well as all the rules within a rule pack can be enabled and disabled. Ifa rule is producing lots of false positive alerts, you may decide to disable. When dis-playing Rules, the Rules page indicates whether a rule is enabled or disabled. Tochange its status, select the Rule, click the action icon, and select either Enable or Dis-able.When displaying Rule Packs, the Rules page indicates the number of enabled and dis-abled rules within each rule pack. To change all the rules in a rule pack to eitherenabled or disabled, select the rule pack, click the action icon, and select Disable All orEnable All.

Create User-Defined RulesThere are two ways for you to create new rules in TAP:

l Create a rule on the Rules pagel Create a rule from a search on the Search bar

When creating a rule, specify the following on the Create New Rule window:l Namel Status of enabled or disabledl Descriptionl Query. When creating a rule from the Search bar, the query will be the query usedto find the search results.

l Distinguisher. A distinguisher is a field in an event that a rule uses to differentiatehits for the purpose of creating alerts. The distinguisher is typically a hostname orIP address but can be any field.In the case where there are multiple events refer-ring to the same type of activity, you might want to have a single alert instead ofmultiple alerts. For example, you have a rule that detects RAR files being trans-ferred over the network. You do not want an alert for each time a RAR file is trans-ferred from the same host. By adding “scrip” (source IP) to the rule, then only onealert is generated for each host sending RAR files.You can also have a single rulegenerates multiple alerts based on its distinguishers. For example, a rule has twodistinguishers: source IP and destination IP. For every combination of srcIP anddstIP found to match the rule criteria, TAP will create an alert.


l Threshold as a number and time window as a number then select hours, minutes,or seconds as the amount of time. Threshold and time window options worktogether to determine the frequency with which the rule generates an alert. Thethreshold is the number of times that an rule must hit within the time window spe-cified for an alert to be generated. For example, if the rule generates five hits (i.e., itmatches five different events) within one hour then an alert is generated.

l Rule packl Confidence, which can be low, medium, or high, indicates how likely it is that therule will detect events that correspond to the type of activity anticipated (i.e., like-lihood that the rule will produce true positives).

l Severity, which can be low, medium, or high, indicates how much of an impact a hitwith this rule could have on an organization if verified to be a true positive.

The confidence and severity combine to form the risk attribute of the alert.

Update User-Defined RulesFireEye-defined rules can be enabled or disabled but not updated. Any rules that youcreate can be enabled or disabled and updated.To update a rule that you have created, click Edit when viewing a rule. The options onthe Update Rule window are the same as when a new rule is created.

Delete RulesTo delete a rule or a rule pack, select it on the Rules page and from the action menu,select Delete.Caution: This action cannot be undone.Deleting a rule pack deletes all the rules that are in that rule pack.

Import and Export RulesRules must be in .json format to be imported. To import a rule, when viewing rules on theRules page, click Import to open the Import Rule window. You can either select a rulepack to which the new rule will be added or select the option to have the rule pack iden-tified in the rule being imported. Choose a .json file to import.Rules are exported in .txt format. To export a rule, click Export when viewing the rule.


AlertsAn alert is a notification that at least one event of interest has occurred. The event orevents may have possible security impacts or may be of interest based on some other cri-teria that you have defined. Alerts can be considered possible candidates for incidents.Alerts originated from one of the following:

l FireEye-defined rulesl User-defined rulesl Intel hits

TAPS assigns each alert one of the following risk values:l Criticall Highl Mediuml Low

Risk describes the overall potential risk to the organization if the alert is a true positive. Itis typically used to prioritize alert verification and response activities.

Suppress AlertsThere may be situations in which you prefer not to see specific alerts; for example, alertsmay continue to appear while an incident responder is actively engaged in respondingto a potential compromise.TAP give you the option to suppress any alert’s that match an existing alert’s origin, trig-ger, and distinguishers for 1 hour, 12 hours, 24 hours, 2 days, 3 days, 1 week, 2 weeks,or 1 month. A suppressed alert does not appear anywhere in TAP.To suppress an alert, select the alert on the Alerts page and select Suppress from theaction menu. On the Suppress Alert window, select a time frame.

Add Alerts to IncidentsAfter determining that an alert requires further action, you can convert it to an incident byusing it to create a new incident.When an alert is added to an incident, the status of the alert changes to Closed.


IncidentsAn incident is a grouping of one or more events or alerts that combine to describe a situ-ation that needs further investigation.An incident may contain multiple alerts. For example, a targeted attack by a singleattacker may generate multiple alerts because different hosts across the environmentwere compromised but all those alerts could be added to a single incident that is thenassigned to one person who leads the response.Incidents have the following characteristics:

l Priority. Like risks associated with alerts, priority can be critical, high, medium, orlow to provide an indication of the order in which the incident should be examinedin regards to other incidents.

l Classification. Classification provides a mechanism for labeling the type of incid-ent and includes the following labels: testing/demonstration, unauthorized access,denial of service, malicious code, policy violation or poor practice, reconnaissance,phishing, and other.

l Status. Status designates the stage of the investigation and includes declared,scoped, contained, recovered, and improved.

l Assignee. Any TAP user can be designated as the assignee. Assigning an incid-ent to one person avoids the issue of multiple people responding to the same issueand duplicating efforts unnecessarily.

Create New IncidentTAP has three ways to create a new incident:1. Create an incident on the Incident page then manually add events2. Select events based on search results and use those events to create a new incid-

ent3. Convert an alert and its corresponding events into an incident

To create an incident on the Incidents page, click Create New Incident. On the CreateNew Incident window, enter a name and description. Select the priority, classification,and initial status for the incident. Then add events to it.To create an incident using events from a search, on the Search page, select eventsfrom the Search results and click Add to Incident. The Create New Incident windowopens with the associated events listed. Select create new incident then complete thename and description and select priority, classification, and initial status for the incident.To create an incident by using an alert and its associated events, select an alert andunder the action menu click Add to Incident. The details for alert map to the details forthe incident with risk for the alert mapping to priority for the incident.


Add Events to Existing IncidentAfter running a search, you can add the events found to any existing incident. Select theevents on the Search page and click Add to Incident. Select the incident to which youwant to add the events.

Assign Incident and InvestigateAny user in TAP can be assigned to an incident. To designate an assignee for an incid-ent, select it on the Incidents page and under the action icon select View/Edit. Select anew status from the drop-down menu.During the course of the investigation, you can also update the incident’s severity andclassification if needed. To update an incident, select it on the Incidents page and underthe action icon select View/Edit. Click Edit to open the Edit Incident window and makeany needed changes.

View Alert DetailsNew alerts are displayed prominently in an Alert box on the Dashboard page.The Alerts page shows metrics on alerts such as the summary of active alerts and thehighest daily number of alerts and average number of daily alerts as well as a list ofalerts that you can filter by status.For each alert, additional details are available by clicking the action icon and selectingView Details.


tapuserguide - fireeye › content › dam › fireeye-www › ... · filters 7 directives 8...

Documents