If you're having trouble using Flight Recorder Search in Nebula, it could be due to missing firewall requirements, misconfiguration of policies, or incorrect search parameters.
Initial troubleshooting
When first troubleshooting Flight Recorder Search, check the following:
- ThreatDown domains allowed through your firewall appliance. For more information, see Network access requirements for Nebula.
- Suspicious activity monitoring and Flight Recorder Search boxes are enabled within the endpoint's corresponding Nebula policy. For more information, see Endpoint Detection and Response policy settings in Nebula.
- Suspicious activity monitoring for servers enabled if using Flight Recorder Search on a server.
-
Collect networking events to include in searching enabled if attempting to search for a contacted IP address or domain.
Note: This setting can increase the amount of network traffic sent to Nebula.
To verify that Flight Recorder Search is enabled on an individual device, generate diagnostic logs and check the policy.txt file. It should display data_retention_enabled; true. If it displays false, double-check the policy setting of the endpoint.
Using search operators
Once Flight Recorder Search is activated on the device, you can start using it in Nebula to look for indicators of compromise. Here are some tips to consider when searching:
- The Equals To Flight Recorder Search operator is case-sensitive.
- The other Flight Recorder Search operators are not case-sensitive.
- Searching for an endpoint by its Fully Qualified Domain Name (FQDN) or Alias is not supported.
The example below demonstrates that the registered endpoint name in Nebula is Workstation01. The alias for the endpoint is Noah.
Since the Equals To operator is case-sensitive, a search for workstation01 yields no results, while a search for Workstation01 does yield results.
The example below demonstrates how to search using multiple operator conditions. The targeted search returned one process.
Reviewing the process graph shows that the end user launched a doc.js file from the Downloads folder. Wscript then spawned cmd and PowerShell as child processes.
Additional Notes
- Process names in Linux and macOS operating systems are case-sensitive and, therefore, may affect your search results. The process names Foo and foo are treated as different processes within the OS itself. Use the Equals To search operator to distinguish between processes when needed.
- Searching for the process file hashes returns results for endpoints that have been seen executing the specific hash. It does not search for the existence of the file on an endpoint's hard disk.
- If you run a flight recorder search and see no results returned when you would expect to see data, try expanding your search by using the Contains operators or expanding the date range.
- If too much data is returned or more precise results are needed, use the Custom search with the desired date, and set the Start Time and End Time.
Additional Errors
- If you see errors returned in Nebula when attempting to run Flight Recorder Searches, contact Support.