[DEPRECATED] Discover and Search
- Megha Shyam Tamvada (Deactivated)
- Arun Raman
This page has been deprecated. Find the latest documentation here.
The Discover and Search feature allows security professionals to find more information and IOCs about all the threats detected by Blue Hexagon. The “Search" feature allows users of Blue Hexagon search threats and the context round threats using an “Elasticsearch Lucene”-like query language. The “Discover" feature provides users with a history of all the detections with the ability to view and investigate all the data Blue Hexagon has analyzed, including threats and benign files. In addition, using syslog, organizations can easily integrate this threat intelligence their SIEM/analytics platform.
Query Syntax & Usage
Discover supports several types of queries. These are described below with examples. The search queries should be directly entered in the field next to the magnifying glass near the top of the page.
Navigating to the Discover page
Selecting columns to display
Search Syntax with Operators and Examples
Operation | Operator Symbol | Example | Notes |
word search | string | gmail | Search for items with the string “gmail” in any field |
Search | : | filetype:PDF | Files of type PDF |
NOT | - | -filetype:PDF | Not files for type PDF |
OR | OR | filetype:PDF OR filetype:DLL | Files of type PDF OR DLL |
AND | AND | filetype:PDF AND source:HTTP | Files of type PDF downloaded via HTTP |
Grouping | (...) | (filetype:PDF OR filetype:DLL) AND source:HTTP | Files of type PDF or DLL downloaded via HTTP |
IP CIDR | CIDR notation | orig_h:\"172.22.9.0/24\" | Traffic seen by endpoints in the 172.22.9.0/24 subnet. Can be used for orig_h (Destination IP) and resp_h (Source IP) fields. Note that the quotes must be escaped. |
Numeric | : | filesize:22016 | Files of size 22016 bytes |
<, >, <=, >= | filesize:<=22016 | All files size less than or equal to 22016 bytes | |
OR, AND | filesize:(>22016 AND <23000) | All files size greater than 22016 bytes and less than 23000 bytes |
Metadata
Display Label | Field to use in Search Query | Field Type | Description | Anonymizable? |
Action Taken | actions | string | Actions taken in response to threat detection (e.g. Send to EDR) | No |
Ancestors | ancestors | string | ARCHIVE: Comma-separated list of file hashes indicating the lineage of the file inside an archive | No |
Appliance | appliance | string | Appliance identifier e.g. “hq”. Each Blue Hexagon appliance in your network is assigned a unique id. | No |
BH Id | bhid | string | Unique identifier for a single file instance | No |
Category | category | string | Threat Category (e.g. information stealer, ransomware) | No |
Descendants | descendants | string | ARCHIVE: Comma-separated list of file hashes indicating the files contained in an archive | No |
Destination IP | orig_h | IP | Originating endpoint’s IP address (client endpoint) | Yes |
Family | family | string | Threat Family (to be read in conjunction with Threat Category) | No |
Filename | filename | string | Name of file, if available | Yes |
Filesize(Bytes) | filesize | integer | Size of the file in bytes | No |
Filetype | filetype | string | File type (e.g. EXE, PDF, MS-DOC) | No |
SHA256 | hash | string | SHA256 hash of the file | No |
HTTP Host | http_host | string | HTTP Host header | Yes |
HTTP Method | http_method | string | HTTP Request verb: GET, POST, etc. | Yes |
HTTP Response MIME | http_resp_mime_type | string | HTTP Response mime_type (e.g. application/pdf) | Yes |
HTTP Status Code | http_status_code | string | Status code returned by the server | Yes |
HTTP URI | http_uri | string | URI used in the HTTP request | Yes |
HTTP User Agent | http_user_agent | string | Value of the User-Agent header | Yes |
MIME type | mime_type | string | mime_type of file payload (e.g. application/pdf) | No |
Multi Category | multi_category | nested,float | For each threat, score associated with various threat categories | No |
Destination Port | orig_p | integer | Originating endpoint’s TCP/UDP port (or ICMP code) | Yes |
Verdict | prediction | string | Threat verdict - benign or malicious | No |
Source Port | resp_p | integer | Responding endpoint’s TCP/UDP port (or ICMP code) | Yes |
Neural Verdict Time(ms) | response_time | integer | Time taken by BlueHex appliance to deliver verdict (in milliseconds) | No |
Severity | severity | integer | Severity level of the threat (1-7) | No |
SMTP CC | smtp_cc | string | Contents of the SMTP CC header | Yes (default) |
SMTP First Received | smtp_first_received | string | Contents of the SMTP first Received header | Yes |
SMTP From | smtp_from | string | Contents of the SMTP FROM header | Yes (default) |
SMTP In Reply To | smtp_in_reply_to | string | Contents of the SMTP In-Reply-To header | Yes (default) |
SMTP Mail From | smtp_mailfrom | string | Contents of the SMTP MAIL FROM header | Yes (default) |
SMTP Path | smtp_path | string | Message transmission path, from headers | Yes |
SMTP Reply | smtp_reply_to | string | Contents of the SMTP ReplyTo header | Yes (default) |
SMTP To | smtp_to | string | Contents of the SMTP TO header | Yes (default) |
SMTP X Originating IP | smtp_x_originating_ip | string | Contents of the SMTP X-Originating-IP header | Yes |
Protocol | source | string | Source protocol of the file data (HTTP/SMTP/FTP_DATA) | No |
Source Country | source_country | string | Country corresponding to Source IP | Yes |
Source IP | resp_h | IP | Responding endpoint’s IP address (typically HTTP or SMTP server) | Yes |
Threat Type | threat_type | string | Type of threat: payload malware, C&C, etc. | No |
Kill Chain Stage | tkc_stage | integer | Threat Kill Chain stage (1-7) | No |
Timestamp | ts | date | UTC timestamp (seconds since epoch with microsecond precision) | No |
Blue Hexagon Proprietary