Accessing Hunt Notebooks

To access the notebook for a particular hunt,

1. First navigate to the Hunt Manager screen
2. Select the hunt of interest
3. Click the “Notebook” tab

Editing Notebooks

1. To edit a notebook, click the “Pencil” icon above the notebook title.

   

2. Tweak or replace the contents of the notebook

3. Save the notebook

   

Notebook Syntax Examples

Example notebook with grouped boolean operations

1. Useful when you want to match on complex, grouped logic such as UserA on SystemA OR UserB on SystemB

   // Windows.EventLogs.RDPAuth
   
   SELECT EventTime,Computer,Channel,EventID,UserName,LogonType,SourceIP,Description,Message,Fqdn FROM source()
   WHERE ( // excluded logons of the user on their own system
   (UserName =~ "Chad.Chan" AND NOT Computer =~ "ACC-01") 
   OR (UserName =~ "Jean.Owen" AND NOT Computer =~ "ACC-05")
   OR (UserName =~ "Albert.Willoughby" AND NOT Computer =~ "ACC-09")
   OR (UserName =~ "Anna.Ward" AND NOT Computer =~ "ACC-04")
   )
   AND NOT EventID = 4634 // less interested in logoff events
   AND NOT (Computer =~ "dc" OR Computer =~ "exchange" OR Computer =~ "fs1")
   ORDER BY EventTime
   

Explicit string matching, grouping and sorting by prevalence

1. The = operator expects an exact match

2. Notice the use of double backslashes, a required escape character for \\ in JSON

3. Notice that we are renaming Hash.SHA256 to SHA256 in the SELECT statement

   SELECT Name,Exe,CommandLine,Hash.SHA256 AS SHA256, Authenticode.Trusted, Username, Fqdn, count() AS Count FROM source()
   WHERE Authenticode.Trusted = "untrusted" // unsigned binaries
   // List of environment-specific processes to exclude
   AND NOT Exe = "C:\\\\Program Files\\\\filebeat-rss\\\\filebeat.exe"
   AND NOT Exe = "C:\\\\Program Files\\\\filebeat\\\\filebeat.exe"
   AND NOT Exe = "C:\\\\Program Files\\\\winlogbeat-rss\\\\winlogbeat.exe"
   AND NOT Exe = "C:\\\\Program Files\\\\winlogbeat\\\\winlogbeat.exe"
   AND NOT Exe = "C:\\\\user-automation\\\\user.exe"
   AND NOT Exe = "C:\\\\salt\\\\bin\\\\python.exe"
   // Stack for prevalence analysis
   GROUP BY Exe
   // Sort results ascending
   ORDER BY Count
   

Fuzzy/Regex matching

1. Notice the regex pattern to match any variation of the Exe names.

2. Also note that when using \\ in a regex, 4 backslashes are needed due to escapes for both JSON and the regex engine…. \\ = \\\\\\\\

   SELECT Name,Exe,CommandLine,Hash.SHA256 AS SHA256, Authenticode.Trusted, Username, Fqdn, count() AS Count FROM source()
   WHERE Authenticode.Trusted = "untrusted" // unsigned binaries
   // List of environment-specific processes to exclude
   AND NOT Exe =~ "(filebeat|winlogbeat|user|python)\\.exe"
   AND NOT Exe =~ "C:\\\\\\\\salt\\\\\\\\"
   // Stack for prevalence analysis
   GROUP BY Exe
   // Sort results ascending
   ORDER BY Count
   

Filtering results based on their prevalence/count

1. Notice the use of WHERE Count < 10 which only returns entries that occur fewer than 10 times which can help spot outliers based on rarity.

   LET Results = SELECT count() AS Count, Fqdn, Name, FullPath, Command FROM source()
   GROUP BY Name, FullPath, Command // stack them
   SELECT * FROM Results
   WHERE Count < 10 // only return entries that occur fewer than 10 times
   ORDER BY Count // sorts ascending