Endpoint Detection and Response (EDR) customers can use the Flight Recorder feature. This feature allows you to search event data captured from all of your EDR managed endpoints to investigate and identify indicators of compromise. You can search data like files, registry, processes, and networking activity up to the past 30 days to threat hunt or analyze how a compromise occurred in your environment.
This article explains how to search event data in the Flight Recorder section and the types of data you can investigate in the search results. To view this section in the Nebula console, click Investigate > Flight Recorder in the left-side navigation pane.
Search event data with Flight Recorder
The Flight Recorder page allows you to search for the stored data types using any combination of operators to create a compound search query. Once a search is performed, you can click the Reset option to revert all selected search parameters or click Copy Search to share the search results. You can also use the Bulk Upload feature to send a list of IoCs to search for across all endpoints. Once selected, choose a max number of results and the time range, then finalize your search.
NOTICE - By default, Flight Recorder data retention is disabled. Enable this feature by selecting Flight Recorder Search checkboxes for each supported OS in Endpoint Detection and Response policy settings.
Add parameters for your search as the last stage, for multiple parameters use the add icon to create more. See parameters below:
- PC Hostname
- User Account
- Process Name
- Process Path
- Process ID
- Command Line
- Contacted IP Address
- Contacted Domains
- Contacted Remote Port
- Written Files
- Process MD5
- Process SHA1
- Process SHA256
- Process SHA512
- IP address or domain. Note: the Network Events toggle must be enabled under Policy Settings to search for these data types. To enable this setting, see: Endpoint Detection and Response policy settings in Nebula.
Flight Recorder Search operators include:
- Equals To (case sensitive)
- Not Equals To
- Contains
- Not Contains
- Starts With
- Ends With
Flight Recorder Search can choose to filter how far back historically to apply the search query. This filter lets you choose the following time ranges:
- Last 24 hours
- Last 12 hours
- Last 6 hours
- Last hour
- Last 30 minutes
- Custom (up to a maximum of 7-days per query)
Investigate information displayed by Flight Recorder
The information shown from a Flight Recorder Search is intended for retrospective analysis, investigation, and how to identify which of your endpoints are affected or related to processes. These results inform your decision making for what is best for your unique business environment. These results display in the Types of Events bar graph, and a corresponding list of endpoints in the Endpoints table.
Types of Events graph
The Types of Events bar graph shows the total occurrences of your search query across the search time frame you specified. The color coded bars show which events types were found in the query. You can hover your cursor over each of the bars to see the total events on your endpoints. These events are broken down into:
- Process: Shown as purple. ( )
- Registry: Shown as yellow. ( )
- FileSystem: Shown as blue. ( )
- Network: Shown as orange. ( )
Endpoints Process
The Endpoints Process section shows more detailed information about the events detected on endpoints to inform your decision making. You can check the boxes next to a process or file and select the Isolate Endpoint(s) action from the top-right Actions drop-down menu if you think they are a risk to your network. You can also select Remove Isolation from the same drop-down.
You can perform the Check Virus Total or Upload File action for any process or file from this window. This sends the file to our sandbox analysis section for review, for more information, see Sandbox Analysis in Nebula.
The Process section displays the following information:
- Process Path: The name and location of the process found by the Flight Recorder. Click a process path to view a visual representation of the selected process. Each node is selectable with slide-out details, including Raw Event info. This shows details just like the Process Graph for Suspicious Activity Details. For information on the Process Graph, see Suspicious Activity Details in Endpoint Detection and Response.
- Endpoint: The name of the endpoint.
- First Seen: Shows a time stamp when the event was first detected.
- Last Seen: Shows a time stamp when the event was last detected.
- PID: The unique number that identifies each running process on an endpoint.
- Events: Shows the different types of events found by Flight Recorder. Hover your cursor over the color-coded icons to see the number of each event type. Colors correspond with the Types of Events graph.
- User Account: The last user signed into the endpoint.
- Status: Status of the endpoint, whether a scan is needed or remediation is required.
- Actions: Available actions which can be performed on the endpoint. See the top section for more information.
- Group: Shows the endpoint's group.
- MD5: The MD5 cryptographic hash value of the file, if applicable.
- OS Platform: Shows the operating system of the endpoints in the results list.
- Policy: Shows the endpoint's policy.
- SHA1: The SHA1 cryptographic hash value of a file, if applicable.
- SHA256: The SHA256 cryptographic hash value of a file, if applicable.
- SHA512: The SHA512 cryptographic hash value of a file, if applicable.