Endpoint Detection and Response uses the Flight Recorder feature to search event data captured from your managed endpoints to investigate and identify indicators of compromise. You can search data files, registry entries, processes, and networking activity up to the past 30 days to threat hunt or analyze how a compromise occurred in your environment.
NOTICE - By default, Flight Recorder data retention is disabled. Enable this feature by selecting Flight Recorder Search checkboxes for each supported OS in Endpoint Detection and Response policy settings.
Features
- Log and monitor event data across endpoints.
- Identify indicators of compromise on endpoints.
- Receive customized data based on search queries for threat analysis.
Search events
The Flight Recorder page allows you to search for the stored data types using any combination of operators to create a compound search query. Once a search is performed, you can click the Reset option to revert all selected search parameters or click Copy Search to share the search results. You can also use the Bulk Upload feature to send a list of IoCs to search for across all endpoints.
Select all or specific sites on the top right to search using Flight Recorder. To add or remove additional search parameters, click the add or delete icons. Once selected, choose a max number of results and the time range, then finalize your search.
Note: The Collect networking events to include in searching toggle must be enabled under Policy Settings to search for network data. To enable this setting, see Endpoint Detection and Response policy settings in OneView.
Investigate events
The information shown from a Flight Recorder Search is intended for retrospective analysis investigation and to identify which of your endpoints are affected or related to processes. These results inform your decision-making for what is best for your unique business environment. These results are displayed in the Types of Events bar graph and a corresponding list of processes in the Endpoints Processes table.
Types of Events graph
The Types of Events bar graph shows the total occurrences of your search query across the search time frame you specified. The color-coded bars show which event types were found in the query. You can hover your cursor over each of the bars to see the total events on your endpoints. These events are broken down into:
- Process: Shown as dark blue. ( )
- Registry: Shown as yellow. ( )
- FileSystem: Shown as blue. ( )
- Network: Shown as orange. ( )
- Script Activity: Shown as light blue. ( )
- Network Event: Shown as pink. ( )
Endpoints Process
The Endpoints Process section shows more detailed information about the events detected on endpoints to inform your decision-making. Check the boxes next to a process or file and select the Isolate Endpoint(s) action from the top-right Actions drop-down menu if there is a risk to the environment.
Perform the Check Virus Total or Upload File action to investigate a process or file. This sends the file to sandbox analysis for review; for more information, see Overview of Sandbox Analysis in OneView.
The Process section displays the following information:
- Process Path: The name and location of the process found by the Flight Recorder. Click a process path to view a visual representation of the selected process. Each node is selectable with slide-out details, including Raw Event info. This shows details just like the Process Graph for Suspicious Activity Details. For information on the Process Graph, see Suspicious Activity Status in OneView.
- Endpoint: The name of the endpoint.
- First Seen: Shows a time stamp when the event was first detected.
- Last Seen: Shows a time stamp when the event was last detected.
- PID: The unique number that identifies each running process on an endpoint.
- Events: Shows the different types of events found by Flight Recorder. Hover your cursor over the color-coded icons to see the number of each event type. Colors correspond with the Types of Events graph.
- User Account: The last user signed into the endpoint.
- Status: Status of the endpoint, whether a scan is needed or remediation is required.
- Actions: Available actions that can be performed on the endpoint. See the top section for more information.
- Group: Shows the endpoint's group.
- MD5: The MD5 cryptographic hash value of the file, if applicable.
- OS Platform: Shows the operating system of the endpoints in the results list.
- Policy: Shows the endpoint's policy.
- SHA1: The SHA1 cryptographic hash value of a file, if applicable.
- SHA256: The SHA256 cryptographic hash value of a file, if applicable.
- SHA512: The SHA512 cryptographic hash value of a file, if applicable.