Telemetry Search is a service that indexes all process starts and network connections for the last seven days of usage. Red Canary now includes a Telemetry Search page and bar where you can search for specific telemetry parameters and view the results in a sortable table. The slide out table displays all the data for that particular process.
You can conduct a keyword search in Telemetry Search to find information about process launches and network connections. Using a third-party search (OpenSearch specifically), results are indexed and returned fast and accurately. It also allows you to execute partial searches or use wildcards to find a broader set of related telemetry.
All Telemetry Search results can be exported to a CSV file, giving you the ability to use the data outside of the constraints in the platform.
This tool enhances our existing Shell Activities feature, which enables you to detect process starts that most likely originated in a shell by making it quick and straightforward to pinpoint individual processes. Including all process starts and networks enables you to easily discover and correlate processes to the data Red Canary already provides.
This also gives detection engineers a single page to locate processes and network connections for threat and event analyses.
Assess Linux EDR telemetry
To assess your Linux EDR telemetry, you can filter by telemetry attributes.
From the navigation menu, click Telemetry.
Enter attributes in the Telemetry Search filter bar, and then press Enter or Return.
You can search by ‘keyword:value’ on any of the allowed filter attributes. Wildcards are supported, permitting you the ability to search for all processes that match the value up to the wildcard.
Note: Text searches are always fuzzy matched unless there is a
*
Supported filter attributes
Event attributes
Attribute | Description | Example |
Event Type | The type of event that occurred, such as a network connection. |
|
Telemetry attributes
Attribute | Description | Example |
Is Shell Activity | A boolean that indicates if the process is an interactive shell command. |
|
Shell | The shell where the process was executed. |
|
Network attributes
Attribute | Description | Example |
Domain | The domain of a network connection. |
|
Local ip | The IP address used in a network connection. |
|
Local port | The port used in a network connection, such as a local or remote port. |
|
Local IP Type | The type of network connection that was made. |
|
Remote ip | The remote IP address used in a network connection. |
|
Remote port | The remote port used in a network connection. |
|
Remote IP Type | The type of remote network connection that was made. |
|
Location | Indicates if the remote network connection is internal or external. |
|
Protocol | The type of protocol used in the network connection. |
|
Direction | The direction of the network connection, such as inbound or outbound. |
|
Endpoint attributes
Attribute | Description | Example |
Host name | Hostname used by the endpoint. |
|
Endpoint operating system | The endpoint’s operating system. |
|
Sensor | The unique ID of the endpoint’s sensor. |
|
Sensor Version | The endpoint’s sensor version. |
|
Reporting Tag | Filter by "key":"value" reporting tags as set in the endpoint sensor configuration. Keys or tags that include a space must be wrapped in double quotes, e.g.
|
|
To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.
Process attributes
Attribute | Description | Example |
Activity At | The date or date range the process occurred at. |
|
Process command Line | The command line used by the process. |
|
Parent process command line | Command line of a parent process. |
|
Process name | The name of the process. |
|
Parent process name | Name of the parent process. |
|
Process path | The path of the process. |
|
Parent process path | The path of the parent process. |
|
Process pid | The process identification number (PID) used by the process. |
|
Parent process pid | The process identification number (PID) used by the parent process. |
|
Process md5 | The Message Digest 5 (md5) of the process. |
|
Parent process md5 | The Message Digest 5 (md5) of the parent process. |
|
Process sha56 | The sha256 of the process. |
|
Parent process sha56 | The sha256 of the parent process. |
|
Working Directory | The working directory of the process. |
|
User attributes
Attribute | Description | Example |
User Name | The username of the user. |
|
Login user name | The username of login user. |
|
User uid | The user identifier (uid) of the user. |
|
Login user uid | The user identifier (uid) of the login user. |
|
Container attributes
Attribute | Description | Example |
Container | The specific docker Container ID holding the endpoint. |
|
Container Pod | The specific docker Container Pod ID holding the endpoint. |
|
Date filters are specified with a from..to syntax where either from or to can be unbounded:
2020-01-01..filters for matches on or after (>=) thefromdate..2020-01-01filters for matches on or before (<=) thetodate2020-01-01..2020-01-31filters for matches on or after (>=) thefromdate and on or before (<=) thetodate
Dates can be specified as iso8601 dates or date-times.
Examples
Show only results of a particular event type
To return only network connections you would use the search filter:
Event_type_cd:network_connection
To return only process starts you would use the search filter:
Event_type_cd:process_start
Show only shell activities
To return only processes designated as originating in a shell you would use the search filter:
Is_shell_activity:true
Wild card search for an IP
To find an IP address used in a network connection that are part of a particular network you would use the search filter:
local_ip:127.0.*
Find all processes running in a container
container_id:*