Advanced Query provides a powerful interface that enables you to hunt across your Alert and Event data ingested into Samurai XDR. For instance, you can query for matching alerts and events which were logged or triggered in the past in order to fully understand the context of current alerts that you are busy investigating.
After a threat has been responded to, Advanced Query can also play an important role in the forensic investigation of the threat, in order to determine both its extent and the sequence of events which occurred.
Advanced Query provides a very flexible interface which is based on Microsoft's Kusto Query Language (KQL) in order to support all of your data needs. This means that you can perform tasks ranging from simplistic queries all the way through to complex and powerful threat hunts in search of evasive threats.
The Advanced Query interface provides you have a graphical view showing the distribution of query matches over time. This allows you to more easily spot deviations from the norm, and to identify the time when when important events occurred.
Some simple examples of the functionality provided by Advanced Query include:
- Ability to use the very capable KQL query language to all from simplistic searches cross your data to running complex queries in support of Threat Hunting activities.
- Ability to query the Samurai XDR data lake for Alerts and Events over the entirety of your full retention period.
- Ability to provide a time-based visualization of the results matching your query enabling you to spot deviations from normal activity.
- Ability to easily filter in/filter out values.
- Ability to easily drill in and out using a graph of the overview, enabling you to quickly pivot across anything from small result sets, to ones containing millions of data points.
- Ability to query over a user-defined time period.
- Ability to easily search/filter the results and export the selected results.
Some simple examples of use cases, which can be covered by Advanced Query include:
- Verifying activity of an endpoint over a specified time period
- Tracking lateral movement of a threat actor
- Finding other endpoints which may have been affected by a breach
- Tracing the sequence of events in a breach
- Find all activity related to a specific attacker
- Confirming that new log sources are generating data and verify these are configured correctly.
The Advanced Query user interface is divided into a number of panes which provide:
- A time-picker allowing the user to easily select the time-period that the query are to apply to. Note: Manually writing time-periods in the interactive KQL editor overrides any user-selection.
- An interactive KQL query editor
- A filters panel, reflecting all the Fields available in the current result. This allows you to quickly filter in/out, search across the filter values and visually see the split between various values. This allows you to quickly narrow down a query.
- A Results panel. showing all matching Alert and Event data. Both in parsed and raw format. This allows you to easily search and filter cross the viewed result and export results of relevance.
- A User Tips panel, showing some quick Tips to assist the user in getting started in writing their first KQL queries.
The user interface also provides you with the ability to customize the time period of the query.