This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Query syntax with advanced examples. Netwitness compared to Splunk just doesn't seem to cut it.

Anonymous
Not applicable

‎2022-03-27 08:56 PM - edited ‎2022-03-27 08:57 PM

Where can I find documentation on the query syntax used within Investigate? I don't seem to be able to find what query syntax is available and no example on advanced use cases.

 

When looking at the service uncoder.io and I convert a sigma document to a Netwitness query, they don't always work. Okay, so what can I do with the query syntax.

 

Here is an example of a rule that uncoder.io gives me:

 

(((name contains 'IPC$') && (path contains '-stdin', '-stdout', '-stderr')) && NOT((name contains 'IPC$') && (path contains 'PSEXESVC')))

I get an error to say that's it's not valid, ok, so what is valid?

 

Aside from <meta> = <value> && ||  there doesn't appear to be any documentation about how can I construct advanced queries.

 

Compared to something like Splunk or ElasticSearch is really seems like NetWitness isn't that powerful.

Labels:
4 REPLIES 4

JaimeMoscosoSOC
Contributor
Contributor

‎2022-03-31 07:31 PM

Here is more info, go to the Query Operators Section

 

https://community.netwitness.com/t5/netwitness-platform-online/queries/ta-p/669234

0 Likes

Anonymous
Not applicable
In response to JaimeMoscosoSOC

‎2022-04-07 07:24 PM

Thanks. That looks quite comprehensive, but can it be used within the Investigate module or is this for use in app rules or something different.

0 Likes

JaimeMoscosoSOC
Contributor
Contributor
In response to Anonymous

‎2022-04-07 10:51 PM

The query operators yes, if you need agregation or some more advanced function you should create a rule and a report in the Report Engine.

 

Keep in mind that some meta tags could not be indexed or the operators you are using do not work with the data type.

0 Likes

LeeMccotter
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2022-04-19 03:20 AM

If I put the syntax of '(((name contains 'IPC$') && (path contains '-stdin', '-stdout', '-stderr')) && NOT((name contains 'IPC$') && (path contains 'PSEXESVC')))' into https://uncoder.io/ and output to Sigma it references an outdated version of https://github.com/SigmaHQ/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml

 

Looking at the source rule: https://github.com/SigmaHQ/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml it mentions tag attack.t1077 and references blog: https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html 

 

Sigma rule (from GitHub):
detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- '*-stdin'
- '*-stdout'
- '*-stderr'
selection2:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: 'PSEXESVC*'
condition: selection1 and not selection2

 

If we know that
EventID => reference.id meta
ShareName => obj.name meta
RelativeTargetName => filename meta

 

Note: In the rule \\*\IPC$ is a literal and * is not a wildcard
i.e. I found sample logs for EventID: 5145 with the similar string of:
Share Name: \\*\C$

 

Using NetWitness 11.7.1.0 lab:
Notes: Value comparison for text is case insensitive by default [configurable](so the value of ipc$ would cover both IPC$, Ipc$ & ipc$)

 

A literal conversion of Investigation drill (Investigation \ Events) would be:
medium=32 AND (reference.id='5145' AND obj.name = '\\\\*\\ipc$' AND filename ends '-stdin','-stdout','-stderr') AND NOT(reference.id='5145' AND obj.name = '\\*\ipc$' AND filename begins 'psexesvc')

 

A less redundant version of the query would be:
medium=32 AND reference.id='5145' AND obj.name = '\\\\*\\ipc$' AND (filename ends '-stdin','-stdout','-stderr' AND NOT(filename begins 'psexesvc'))
Note: The UI coverts \\\\*\\ipc$ to '\\*\ipc$'
So this is the value you might paste into query of Investigate / Events.
Note: If you are building this using value pick then obj.name will show as obj.name = '\\*\ipc$'

 

The following syntax also works:
medium=32 && reference.id='5145' && obj.name = '\\\\*\\ipc$' && (filename ends '-stdin','-stdout','-stderr' && NOT(filename begins 'psexesvc'))

 

Investigate \ Navigate drill, advanced drill is pretty much the same:
medium=32 && reference.id='5145' && obj.name = '\\\\*\\ipc$' && (filename ends '-stdin','-stdout','-stderr' && not(filename begins 'psexesvc'))

 

Application Rule (to alert on occurence is similar to Investigate/Navigate):
medium=32 && reference.id='5145' && obj.name = '\\\\*\\ipc$' && (filename ends '-stdin','-stdout','-stderr' && not(filename begins 'psexesvc')

App Rule Syntax: https://community.netwitness.com/t5/netwitness-platform-downloads/rsa-netwitness-log-parser-tool-v1-1-downloads/ta-p/559945 

 

Thanks for the feedback. I've added your suggestion to NetWitness Ideas - https://community.netwitness.com/t5/netwitness-ideas/work-with-https-uncoder-io-to-allow-conversion-of-rules-from/idi-p/681761 
Be sure to vote for it 🙂

 

Please let me know if you have any other questions.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.