Advanced Query feature in Samurai XDR provides a comprehensive and powerful tool for users to analyze and investigate security events within their data. Here's a breakdown of the key features and functionalities:
Key Features
Kusto Query Language (KQL) Integration
Users can leverage the Kusto Query Language for both simple and complex queries, enabling a wide range of threat hunting activities.
Data Lake Querying
Ability to query the Samurai XDR data lake for alerts and events across the entire retention period, providing a comprehensive historical view.
Time-Based Visualization
Graphical representation of query results over time, allowing users to identify deviations from normal activity and pinpoint the timing of critical events.
Flexible Filtering
Users can easily filter in/out specific values, providing flexibility in narrowing down and customizing queries based on various parameters.
Graphical Overview
A graphical overview allows for quick pivoting between small and large result sets, facilitating efficient exploration of data points.
User-Defined Time Period
Users can set a specific time interval for querying, enabling focused analysis within a defined temporal scope.
Search and Export Capabilities
The interface supports easy search and filtering of results, with the ability to export selected data for further analysis or reporting.
Combined Alerts, Events and Evidence Query
Users can select both Alerts, Events and Evidence in a single query, streamlining the investigative process.
Histogram Graph Customization
Users can vary the time interval of the histogram graph in the results overview, adapting the visualization to specific analysis needs.
Example Use Cases
- Endpoint Activity Verification - Verify the activity of an endpoint over a specified time period.
- Threat Actor Lateral Movement - Track the lateral movement of a threat actor across the network.
- Breach Impact Assessment - Identify other endpoints affected by a breach to assess the extent of impact.
- Breach Sequence Analysis - Trace the sequence of events during a security breach for a thorough forensic investigation.
- Attacker Activity Identification - Find all activity related to a specific attacker for targeted threat hunting.
- Log Source Configuration Check - Confirm that new log sources are generating data and verify their correct configuration.
User Interface Components
- Time Picker - Allows users to easily select a time period for query application.
- Interactive KQL Query Editor - Provides a user-friendly interface for constructing KQL queries.
- Filters Panel - Displays available fields for filtering, facilitating quick in/out filtering and visualizing data distribution.
- Results Panel - Presents matching Alert and Event data in both parsed and raw formats, supporting cross-result searching and export capabilities.
- User Tips Panel - Offers quick tips to assist users in constructing their initial KQL queries.
For detailed information on using Advanced Query in Samurai XDR, users are encouraged to refer to the provided resources on Advanced Query Functionality and Constructing an Advanced Query within the application.
To learn all about the feature within the Samurai XDR application please review Advanced Query Functionality and Constructing an Advanced Query.