Use Multiple Elements in a Query
The Cybereason platform’s investigation queries enable you to build queries based on a single Element or multiple Elements. For example, you can build a query that finds processes downloaded from the Internet, or you can build a query that searches for processes that have connections, children processes of a specific process, and so forth.
You can create a query with an unlimited number of Elements, although most common use cases rarely require more than three Elements.
In this topic:
How do you use multiple Elements in a query?
Normally, when you build a query in the Investigation screen, the query builder displays the available Elements you can link to the already existing Element or Elements. However, when you use the API, you have to provide the details on how to connect Elements.
In the Cybereason data model that helps organize all the platform’s data, Elements can link to a number of other Elements. To connect these Elements, specific Elements have a number of Features which are actually references to data from another Element. For example, the Process Element has a Feature to find the machine on which the process runs or connections that process opens. The actual data for these Features, such as machine for Process or connections for a Process, are data associated with the Machine Element or the Connection Element, respectively.
When you build a query with multiple Elements with the API, you create a connectionFeature object in the request body.
There are two ways of connecting Elements with the API:
Direct chaining: The Feature that connects the Elements is a Feature for the first Element.
Reverse chaining: The Feature that connects the Elements is a Feature for the second Element.
When you build a query, you add the Elements in the order you want to investigate processes that have connections, you would add the Process Element first in the request, and then Connections after that.
Query syntax for multiple Elements
{
"queryPath":
[
{
"requestedType": "<First Element>",
"filters": [
{
"facetName": "<First Feature>",
"values": [
"<value>",
"<value>",
"<value>"
],
"filterType": "<operator>"
},
],
"connectionFeature": {
"elementInstanceType": "<Element for Connecting Feature>",
"featureName": "<Connecting Feature>"
},
"isResult": "<Boolean value>",
"isReversed": "<Boolean value>"
},
{
"requestedType": "<Second Element>",
"filters": [
{
"facetName": "<Feature>",
"values": [
"<value>",
"<value>",
"<value>"
],
"filterType": "<value>"
}
],
"isResult": "<Boolean value>",
"isReversed": "<Boolean value>"
}
],
"templateContext": "<value>",
"totalResultLimit": "1000",
"perGroupLimit": "100",
"perFeatureLimit": "100",
"queryTimeout": "12000",
"customFields": [
"<field name>",
"<field name>",
"<field name>"
]
}
Build a query that contains multiple Elements
To build a query that contains multiple Elements, you build each query part, which consists of an Element and any Features for that Element. Then, you add Features that connect the query parts.
To build a query with multiple Elements, follow these steps:
In the queryPath object, locate the first requestedType key.
In the requestedType key, replace the <First Element> placeholder value with the API name for the first Element in your query.
For a list of API names for each Element, see Query Elements and Features.
Below the requestedType key, in the filters object, add the values for the facetName key, values array, and filterType keys. For more details on how to use these fields, see Build a Query Request.
Below the filters object, locate the connectionFeature object.
Locate the Feature to use that connects the Elements in your query.
For a list of available Features to connect Elements, see the Connection Features section below. Unless you have a specific Feature that you want to use to connect the Elements, you should choose the simplest Feature. For example, to connect a Connection Element to a Process Element, use the connections feature on the Process Element.
In the connectionFeature object, add values for these keys:
Field
Type
Description
elementInstanceType
String
The Element to which the Feature that connects the Element belongs.
featureName
String
The name of the Feature that connects the Element.
If the Feature that connects the Elements belongs to the second Element, add an isReversed parameter with the value of true.
Below the connectionFeature object, locate the second requestedType key. This is the place you will add the second Element in the query.
Add the details for the second requestedType key and the fields for the second filters object (and its keys).
For the target Element of your query, add an “isResult” key with a value of true.
Fill in the other fields of the request body as needed. For details, see Build a Query Request.
Connection Features
The following are the Features available for each Element to connect the Element to another Element.
The tables below contain the following:
The Element to which you can link
The Feature that enables you to link the Element
The value you need to enter in the elementInstanceType key in the connectionFeature object
The Element you will need to use as the second or following Element in the query
Automatic Execution Element
The Features in the table below are available to connect the Automatic Execution Element to other Elements, which is also displayed with these names:
Automatic execution
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Machine |
ownerMachine |
AutomaticExecution |
Machine |
Registry Entry |
registry |
AutomaticExecution |
RegistryEntry |
Service |
service |
AutomaticExecution |
Service |
Scheduled Task |
scheduledTask |
AutomaticExecution |
ScheduledTask |
Connection Element
The Features in the table below are available to connect the Connection Element to other Elements, which is also displayed with these names:
Connection (DNS query)
Connection (Local address)
Connection (Remote address)
Connection (associated listening socket)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Local address |
localAddress |
Connection |
IpAddress |
Remote address |
remoteAddress |
Connection |
IpAddress |
Owner machine |
ownerMachine |
Connection |
Machine |
Owner process |
ownerProcess |
Connection |
Process |
DNS query |
dnsQuery |
Connection |
DNSQueryResolvedDomainToIP |
Listening connection (Connections) |
connections |
ListeningConnection |
ListeningConnection |
Process (connections) |
connections |
Process |
Process |
URL domains |
urlDomains |
Connection |
Domain Name |
Associated listening connection |
parent |
ListeningConnection |
ListeningConnection |
Blacklist URL Domain |
blackListUrlDomainEvidence |
DomainName |
DomainName |
Domain name |
domainName |
DomainName |
DomainName |
Malicious URL Domains |
maliciousUrlDomains |
DomainName |
DomainName |
Remote machine |
remoteMachine |
Machine |
Machine |
Suspicious URL - Domain list |
urlDomainClassificationSuspicion |
DomainName |
DomainName |
DNS Query Resolved Domain to Domain Element
The Features in the table below are available to connect the DNS Query Resolved Domain to Domain Element to other Elements, which is also displayed with these names:
Domain to Domain
Resolved DNS queries from domain to domain
Connection (Remote address)
Connection (associated listening socket)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Source domain |
sourceDomain |
DnsQueryResolvedDomainToDomain |
DomainName |
Target domain |
targetDomain |
DnsQueryResolvedDomainToDomain |
DomainName |
Resolvers |
resolvers |
DnsQueryResolvedDomainToDomain |
IpAddress |
Hosts file (domain to domain) |
domainToDomain |
DnsQueryResolvedDomainToDomain |
HostsFile |
Process (resolved DNS queries from domain) |
resolvedDnsQueriesDomainToDomain |
DnsQueryResolvedDomainToDomain |
Process |
DNS Query Resolved Domain to IP Element
The Features in the table below are available to connect the DNS Query Resolved Domain to IP Element to other Elements, which is also displayed with these names:
DNS query resolved Domain to IP (source domain)
DNS entries
DNS query resolved Domain to IP (target domain)
Element to link to |
Feature |
Element Instance Type Field Value |
|
|---|---|---|---|
Source domain |
sourceDomain |
DnsQueryResolvedDomainToIP |
Domain Name |
Target IP |
targetIpAddress |
DnsQueryResolvedDomainToIP |
IP Address |
Resolvers |
resolvers |
DnsQueryResolvedDomainToIP |
IP Address |
Connection (DNS Query) |
dnsQuery |
DnsQueryResolvedDomainToIP |
Connection |
Process (Resolved DNS queries from domain to IP) |
resolvedDnsQueriesDomainToIp |
Process |
Process |
DNS Query Resolved IP to Domain Element
The Features in the table below are available to connect the DNS Query Resolved IP to Domain Element to other Elements, which is also displayed with these names:
DNS query resolved Domain to IP (source domain)
DNS entries
DNS query resolved Domain to IP (target domain)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Domain name |
targetDomain |
DnsQueryResolvedIpToDomain |
DomainName |
IP address |
sourceIpAddress |
DnsQueryResolvedIpToDomain |
IpAddress |
Resolvers |
resolvers |
DnsQueryResolvedIpTodomain |
IpAddress |
Process (Resolved DNS Queries from IP to Domain) |
resolvedDnsQueriesIPToDomain |
Process |
Process |
DNS Query Unresolved from Domain Element
The Features in the table below are available to connect the DNS Query Unresolved from Domain Element to other Elements, which is also displayed with these names:
DNS query unresolved from Domain (Domain name)
Unresolved domain DNS lookups
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Domain name |
sourceDomain |
DnsQueryUnresolvedFromDomain |
DomainName |
Resolvers |
resolvers |
DnsQueryUnresolvedFromDomain |
IpAddress |
Process (Unresolved domain DNS lookups) |
unresolvedDnsQueriesFromDomain |
Process |
Process |
Domain Name Element
The Features in the table below are available to connect the Domain Name Element to other Elements, which is also displayed with these names:
Source domain
Target domain
Domain name
Host
Links
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
DNS query resolved Domain to IP (source domain) |
sourceDomain |
DnsQueryResolvedDomainToIp |
DNSQueryResolvedDomainToDomain |
DNS query resolved Domain to Domain (source domain) |
sourceDomain |
DnsQueryResolvedDomainToDomain |
DNSQueryResolvedDomainToDomain |
DNS query resolved Domain to Domain (Target domain) |
targetDomain |
DnsQueryResolvedDomainToDomain |
DNSQueryResolvedDomainToDomain |
DNS query resolved IP to Domain (Domain name) |
targetDomain |
DnsQueryResolvedIpToDomain |
DNSQueryResolvedIpToDomain |
DNS query unresolved from Domain (Domain name) |
sourceDomain |
DnsQueryUnresolvedFromDomain |
DNSQueryUnresolvedFromDomain |
Driver Element
The Features in the table below are available to connect the Driver Element to other Elements, which is also displayed with these names:
Driver
Driver (file)
Target domain
Domain name
Host
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
File |
file |
Driver |
File |
Owner machine |
ownerMachine |
Driver |
Machine |
Service |
service |
Driver |
Service |
Event Element
The Features in the table below are available to connect the Event Element to other Elements, which is also displayed with these names:
Events related with resource
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Connection |
connection |
Event |
Connection |
File |
sourceFile |
Event |
File |
File |
targetFile |
Event |
File |
IP Address |
sourceIpAddress |
Event |
IpAddress |
Machine |
performerHost |
Event |
Machine |
Machine |
victimHost |
Event |
Machine |
Resource |
targetResource |
Event |
Resource |
User Account |
targetUser |
Event |
User |
User Identity |
performerUserIdentity |
Event |
UserIdentity |
User Identity |
victimUserIdentity |
Event |
UserIdentity |
File Element
The Features in the table below are available to connect the File Element to other Elements, which is also displayed with these names:
File
Quarantined file
Original file
Exporting module
File (machine)
Image file
Original file
Quarantined file
File (registry key)
Registry entry file
Executable
Binary file
Source file for event
Target file for event
Attachments
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Machine |
ownerMachine |
File |
Machine |
Process (image file) |
imageFile |
Process |
Process |
Module (file) |
file |
Module |
Module |
Driver (file) |
file |
Driver |
Driver |
Service (binary file) |
binaryFile |
Service |
Service |
Hosts File (file) |
file |
HostsFile |
HostsFile |
Mount Point |
mount |
File |
MountPoint |
Quarantined file |
quarantineVersion |
File |
File |
Original file |
originalVersion |
File |
File |
Quarantine actions |
fileIsQuarantined |
File |
QuarantineFile |
Creation quarantine action |
fileIsQuarantinedVersion |
File |
QuarantineFile |
Registry key |
autorn |
File |
Registry Key |
Scheduled task action (exectuable) |
fileInfo |
Executable Task Action |
ExecutableTaskAction |
Creation quarantine action |
fileIsQuarantinedVersion |
QuarantineFile |
QuarantineFile |
Downloaded from domain |
downloadedFromDomain |
DomainName |
DomainName |
Downloaded from IP address |
downloadedFromIpAddress |
IpAddress |
IpAddress |
Registry entries |
autoruns |
autorun |
autorun |
Scheduled task actions running this file |
executableTaskActions |
ExecutableTaskAction |
ExecutableTaskAction |
Function Details Element
The Features in the table below are available to connect the Function Details Element to other Elements, which is also displayed with these names:
Function Details
Hooked Functions
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Exporting module |
ExportingFile |
FunctionDetails |
File |
Hosts File Element
The Features in the table below are available to connect the Hosts File Element to other Elements, which is also displayed with these names:
Hosts file
Process (resolved DNS queries from domain)
Hosts file (file)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
DNS entries |
domainToIp |
HostsFile |
DnsQueryResolvedDomainToIp |
Domain to Domain |
domainToDomain |
HostsFile |
DnsQueryResolvedDomainToDomain |
Machine |
ownerMachine |
HostsFile |
Machine |
File |
file |
HostsFile |
File |
Related DHCP interfaces |
TBD |
NetworkInterface |
NetworkInterface |
Related gateway interfaces |
NetworkInterface |
NetworkInterface |
IP Address Element
The Features in the table below are available to connect the IP Address Element to other Elements, which is also displayed with these names:
Local address
Remote address
Resolvers
Target IP
Source IP
DHCP server address
DNS server address
Gateway address
IP address of event originator
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Connection (Local address) |
localAddressLinks |
Connection |
Connection |
Connection (Remote address) |
remoteAddress |
Connection |
Connection |
Machine |
ownerMachine |
IP Address |
Machine |
Related DHCP interfaces |
dhcpServerOfInterfaces |
IP Address |
NetworkInterface |
Related gateway interfaces |
gatewayOfInterfaces |
IP Address |
NetworkInterface |
DNS query resolved Domain to IP (Target domain) |
targetIpAddress |
DnsQueryResolvedDomainToIp |
DnsQueryResolvedIpToDomain |
DNS query resolved IP to Domain (IP address) |
sourceIPAddress |
DnsQueryResolvedIpToDomain |
DnsQueryResolvedDomainToIp |
DNS query unresolved from IP (Source IP address) |
sourceIpAddress |
DnsQueryUnresolvedFromIP |
DnsQueryUnresolvedFromIp |
IP Range Element
The Features in the table below are available to connect the IP Range Element to other Elements, which is also displayed with these names:
IP Range
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Owner Process |
ownerProcess |
ipRangeScan |
Process |
Listening Connection Element
The Features in the table below are available to connect the Listening Connection Element to other Elements, which is also displayed with these names:
Listening connection
Listening connection (connections)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Owner machine |
ownerMachine |
Listening Connnection |
Machine |
Owner process |
ownerProcess |
Listening Connection |
Process |
Connections (associated listening socket) |
parent |
Connection |
Connection |
Local address |
localAddress |
IpAddress |
IpAddress |
Owner module |
ownerModule |
File |
File |
Service |
ownerServic |
Service |
Service |
Local Network Element
The Features in the table below are available to connect the Local Network Element to other Elements, which is also displayed with these names:
Local networks
Network interface (local networks the network interface is registered on)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Network Interface (local networks the network interface is registered on) |
localNetworks |
NetworkInterface |
NetworkInterface |
IP address of the network’s gateway |
gatewayIp |
IpAddress |
IpAddress |
Machines |
machines |
Machine |
Machine |
DHCP server address |
dhcpServer |
IpAddress |
IpAddress |
DNS server address |
dnsServer |
IpAddress |
IpAddress |
Logon Session Element
The Features in the table below are available to connect the Logon Session Element to other Elements, which is also displayed with these names:
Logon sessions
Suspects
Client logon session
Server logon session
Logon session (user)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Owner machine |
ownerMachine |
LogonSession |
Machine |
User |
user |
LogonSession |
User |
Process |
process |
LogonSession |
Process |
Remote machine |
remoteMachine |
LogonSession |
Machine |
Owner machine |
ownerMachine |
LogonSesson |
Machine |
Client Remote Session |
clientRemoteSession |
Logon Session |
RemoteSession |
Server Remote Session |
serverRemoteSession |
Logon Sesson |
RemoteSession |
Proxies |
proxies |
Logon Session |
Proxy |
Source IP |
sourceIp |
Logon Session |
IpAddress |
Remote network machine |
remoteNetworkMachine |
Logon Session |
NetworkMachine |
Pass the Ticket Remote Sessions |
passTheTicketRemoteSessions |
Logon Session |
RemoteSession |
Machine Element
The Features in the table below are available to connect the Machine Element to other Elements, which is also displayed with these names:
Machine
Owner machine
Remote machine
Affected machines
Client machine
Server machine
Last Machine logged in to
Performer host
Victim host
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Users |
users |
Machine |
User |
Logon sessions |
logonSessions |
Machine |
LogonSession |
Processes |
processes |
Machine |
Process |
Services |
services |
Machine |
Service |
Drivers |
drivers |
Machine |
Driver |
Hosts file |
hostsFile |
Machine |
HostsFile |
Mount points |
mountPoints |
Machine |
MountPoint |
Network interfaces |
networkInterfaces |
Machine |
NetworkInterface |
Removable devices |
removableDevices |
Machine |
MountPoint |
File (machine) |
ownerMachine |
File |
File |
Local networks |
localNetworks |
Machine |
LocalNetwork |
Malicious Tools |
maliciousTools |
Machine |
Process |
Network machine |
networkMachine |
Machine |
NetworkInterface |
Registry entries |
autoruns |
Machine |
Autorun |
Spreading drivers |
hasSpreadDriversEvidence |
Machine |
Driver |
Suspicious processes |
suspiciousProcesses |
Machine |
Process |
Machines Interaction Element
The Features in the table below are available to connect the Machines Interaction Element to other Elements, which is also displayed with these names:
Interactions
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Compromised user |
user |
MachinesInteraction |
User |
Process initiating interaction |
clientProcess |
MachinesInteraction |
Process |
Process initiating interaction on server machine |
serverProcess |
MachinesInteraction |
Process |
User on client machine |
clientUser |
MachinesInteraction |
User |
User on server machine |
serverUser |
MachinesInteraction |
User |
Client machine |
clientMachine |
MachinesInteraction |
Machine |
Server machine |
serverMachine |
MachinesInteraciton |
Machine |
Malop Process Element
The Features in the table below are available to connect the Malop Process Element to other Elements, which is also displayed with these names:
Malop Process Elements
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Affected machines |
affectedMachines |
MalopProcess |
Machine |
Affected users |
affectedUsers |
MalopProcess |
Machine |
Suspicious processes |
suspects |
MalopProcess |
Process |
Files for remediation |
filesToRemediate |
MalopProcess |
File |
Files for remediation |
registryKeysToRemediate |
MalopProcess |
Autorun |
New suspects |
newSuspects |
MalopProcess |
Process |
Processes for remediation |
processesToRemediate |
MalopProcess |
Process |
Suspect features |
suspectsFeatureCollection |
MalopProcess |
Process |
Suspects Host Processes |
MalopProcess |
Process |
|
Suspects Injecting Processes |
suspectsHostProcesses |
MalopProcess |
Process |
Suspects Processes |
suspectsProcesses |
MalopProcess |
Process |
Suspects with no TID |
suspectsWithNoTid |
MalopProcess |
Process |
Suspicious Processes |
suspects |
MalopProcess |
Process |
Malop Logon Session Element
The Features in the table below are available to connect the Malop Logon Session Element to other Elements, which is also displayed with these names:
Malop Logon Session
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Affected machines |
affectedMachines |
MalopProcess |
Machine |
Affected users |
affectedUsers |
MalopProcess |
Machine |
Suspicious processes |
suspects |
MalopProcess |
Process |
Files for remediation |
filesToRemediate |
MalopProcess |
File |
Files for remediation |
registryKeysToRemediate |
MalopProcess |
Autorun |
New suspects |
newSuspects |
MalopProcess |
Process |
Processes for remediation |
processesToRemediate |
MalopProcess |
Process |
Suspect features |
suspectsFeatureCollection |
MalopProcess |
Process |
Suspects Host Processes |
MalopProcess |
Process |
|
Suspects Injecting Processes |
suspectsHostProcesses |
MalopProcess |
Process |
Suspects Processes |
suspectsProcesses |
MalopProcess |
Process |
Suspects with no TID |
suspectsWithNoTid |
MalopProcess |
Process |
Suspicious Processes |
suspects |
MalopProcess |
Process |
Module Element
The Features in the table below are available to connect the Module Element to other Elements, which is also displayed with these names:
Module
Loaded modules
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
File |
file |
Module |
File |
Machine |
ownerMachine |
Module |
Machine |
Process (loaded modules) |
loadedModules |
Module |
Process |
Message Element
The Features in the table below are available to connect the Message Element to other Elements, which is also displayed with these names:
Module
Loaded modules
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
File |
attachments |
Message |
File |
Domain name |
links |
Message |
DomainName |
Mount Point Element
The Features in the table below are available to connect the Mount Point Element to other Elements, which is also displayed with these names:
Mount Point
Removable devices
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Files |
file |
MountPoint |
File |
Owner machine |
ownerMachine |
MountPoint |
Machine |
Network Interface Element
The Features in the table below are available to connect the Network Interface Element to other Elements, which is also displayed with these names:
Network Interface
Related DHCP interfaces
Related gateway interfaces
IP address
Network interface (proxies)
Server
Client
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
IP address |
ipAddress |
NetworkInterface |
NetworkInterface |
Owner machine |
ownerMachine |
NetworkInterface |
Machine |
DHCP server address |
dhcpServer |
NetworkInterface |
UpAddress |
DNS server address |
dnsServer |
NetworkInterface |
IpAddress |
Gateway address |
NetworkInterface |
IpAddress |
|
Proxies |
proxies |
NetworkInterface |
Proxy |
Local networks the interface is registered on |
localNetworks |
NetworkInterface |
LocalNetwork |
Network Machine Elements
The Features in the table below are available to connect the Network Machine Element to other Elements, which is also displayed with these names:
Network Machine
Client
Server
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Machine |
machine |
NetworkMachine |
Machine |
Process Element
The Features in the table below are available to connect the Process Element to other Elements, which is also displayed with these names:
Process
Owner Process
Process (connections)
Process (resolved DNS queries from domain)
Process (Resolved DNS queries from domain to IP)
Process (Resolved DNS queries from IP to domain)
Process (Unresolved domain DNS lookups)
Process (Unresolved IP DNS lookups)
Process (Image file)
Suspicious processes
Parent process
Children
Executing process
Host process
Host injected children
Children created by thread
Process (registry key)
Creating process
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Owner machine |
ownerMachine |
Process |
Machine |
User |
calculateUser |
Process |
User |
Image file |
imageFile |
Process |
File |
Connections |
connection |
Process |
Connection |
Parent process |
parentProcess |
Process |
Process |
Children |
children |
Process |
Process |
Executing process |
execedBy |
Process |
Process |
Loaded modules |
loadedModules |
Process |
Module |
IP range scan set |
ipRangneScanSet |
Process |
IpRangeScan |
Hooked functions |
hookedFunctions |
Process |
FunctionDetails |
Host process |
hostProcess |
Process |
Process |
Host user |
hostUser |
Process |
User |
Host injected children |
hostedChildren |
Process |
Process |
Children created by thread |
childrenCreatedByThread |
Process |
Process |
Automatic executions |
automaticExecutions |
Process |
Process |
Registry entry |
autorun |
Process |
Autorun |
Service |
service |
Process |
Service |
Scheduled task |
scheduledtask |
Process |
ScheduledTask |
Remote session |
remoteSession |
Process |
RemoteSession |
Logon session |
logonSessionn |
Process |
LogonSession |
Resolved DNS queries from domain to domain |
resolvedDnsQueriesDomainToDomain |
Process |
DnsQueryResolvedDomainToDomain |
Resolved DNS queries from domain to IP |
resolvedDnsQueriesDomainToIp |
Process |
DnsQueryResolvedDomainToIp |
Resolved DNS queries from IP to Domain |
resolvedDnsQueriesIpToDomain |
Process |
DnsQueryResolvedIpToDomain |
Unresolved domain DNS lookups |
unresolvedDnsQueriesFromDomain |
Process |
DnsQueryUnresolvedFromDomain |
Unresolved IP DNS lookups |
unresolvedDnsQueriesFromIP |
Process |
DnsQueryUnresolvedFromIp |
Blacklist domains |
blackListDomains |
Process |
DomainName |
Blacklisted domain to domain DNS |
blackListDnsQueryDomainToDomain |
Process |
DnsQueryResolvedDomainToDomain |
Blacklisted domain-to-IP DNS queries |
dnsQueryFromBlackListDomain |
Process |
DnsQueryResolvedDomainToIp |
Blacklisted domains (Connection) |
blackListConnectionDomains |
Process |
DomainName |
Blacklisted domains (DNS) |
blackListDomainsDnsDomainToIp |
Process |
DomainName |
Blacklisted domains (domain to domain DNS - source) |
blackListDomainDnsDomainToDomainSource |
Process |
DomainName |
Blacklisted domains (domain to domain DNS - target) |
blackListDomainDnsDomainToDomainTarget |
Process |
DomainName |
Blacklisted domains (reversed DNS) |
blackListDomainsDnsIpToDomain |
Process |
DomainName |
Blacklisted domains (unresolved DNS) |
blackListDomainDnsUnresolvedFromDomain |
Process |
DomainName |
Blacklisted domains (URL) |
blackListUrlDomains |
Process |
DomainName |
Blacklisted IP addresses |
blackListIpAddresses |
Process |
IpAddress |
Blacklisted IP-to-domain DNS queries |
dnsQueryToBlackListDomain |
Process |
DnsQueryResolvedIpToDomain |
Blacklisted modules |
blackListClassificationModules |
Process |
Module |
Children with malicious script execution |
childrenWithMaliciousScriptExecution |
Process |
Process |
Connections of host process |
connectionsOfHostProcess |
Process |
Connection |
Connections to blacklist domains |
connectionsToBlackListDomain |
Process |
Connection |
Connections to Malicious Domain |
Process |
Connection |
|
Connections to malware address |
Process |
Connection |
|
Created children |
connectionsToMaliciousDomain |
Process |
Process |
Creator process |
creatorProcess |
Process |
Process |
Creator thread |
creatorThread |
Process |
Process |
Different Signer Modules |
differentSignerModule |
Process |
Module |
Dynamic configuration connections |
dynamicConfigurationConnections |
Process |
Connection |
Elevating Privilege Child Processes |
elevatedPrivilegeChildren |
Process |
Process |
Executing process |
execedBy |
Process |
Process |
External connections |
externalConnections |
Process |
Connection |
Fake modules |
fakeModules |
Process |
Connection |
Fake OWAAuth Modules |
fakeOwaAuthModules |
Process |
Module |
Hacker tool children |
hackerToolChildren |
Process |
Process |
High volume connections to malicious address |
absoluteHighVolumeMaliciousAddressConnections |
Process |
Connection |
High volume external connections |
Process |
Connection |
|
Incoming connections |
incomingConnections |
Process |
Connection |
Incoming connections of host process |
incomingConnectionsOfHostProcess |
Process |
Connection |
Incoming external connections |
incomingExternalConnections |
Process |
Connection |
Incoming internal connections |
incomingInternalConnections |
Process |
Connection |
Injected Child Processes |
injectedChildren |
Process |
Process |
Internal connections |
internalConnections |
Process |
Connection |
Internal outgoing embryonic connections |
internalOutgoingEmbryonicConnections |
Process |
Connection |
Ip range scan set |
ipRangeScanSet |
Process |
Connection |
Listening connections |
listeningConnections |
Process |
Connection |
Local connections |
localConnections |
Process |
Connection |
Low TTL DNS Queries |
hasLowTtlDnsQueryEvidence |
Process |
DnsQueryResolvedDomainToIp |
Mail connections |
mailConnections |
Process |
Connection |
Malicious connection domains |
maliciousConnectionDomains |
Process |
Connection |
Malicious domains |
maliciousDomains |
Process |
DomainName |
Malicious reputation addresses |
maliciousIpAddresses |
Process |
IpAddress |
Malicious resolved domains |
maliciousDomainsDnsDomainToIp |
Process |
DomainName |
Malicious source domains |
maliciousDomainDnsDomainToDomainSource |
Process |
DomainName |
Malicious target domain |
maliciousDomainDnsDomainToDomainTarget |
Process |
DomainName |
Malicious tool modules |
maliciousToolModuleEvidence |
Process |
Module |
Malicious unresolved domains |
maliciousDomainDnsUnresolvedFromDomain |
Process |
DomainName |
Malicious URL domains |
maliciousUrlDomains |
Process |
DomainName |
Malware classification modules |
malwareClassificationModules |
Process |
Module |
Modules loaded from the temporary directory |
modulesFromTemp |
Process |
Module |
Non-default resolver DNS queries |
nonDefaultResolverQueries |
Process |
DnsQueryResolvedDomainToIp |
Outgoing connections |
outgoingConnections |
Process |
Connections |
Outgoing connections of host process |
outgoingConnectionsOfHostProcess |
Process |
Connection |
Outgoing external connections |
outgoingExternalConnections |
Process |
Connection |
Outgoing internal connections |
outgoingInternalConnections |
Process |
Connection |
Power shell modules |
powerShellModules |
Process |
Module |
Ransomware classification modules |
ransomwareClassificationModules |
Process |
Module |
Rare external connections |
rareExternalConnections |
Process |
Connection |
Rare internal connections |
hasRareInternalConnection |
Process |
Connection |
Rare module registry entry |
rareModuleAutorun |
Process |
Module |
Registry entry |
autorun |
Process |
Autorun |
Signed and Unsigned Modules |
unsignedDuplicateModule |
Process |
Module |
Suspicious Domain-to-Domain DNS queries |
suspiciousDnsQueryDomainToDomain |
Process |
DnsQueryResolvedDomainToDomain |
Suspicious Domain-to-IP DNS queries |
dnsQueryFromSuspiciousDomain |
Process |
DnsQueryResolvedDomainToIp |
Suspicious external connections |
suspiciousExternalConnections |
Process |
Connection |
Suspicious internal connections |
suspiciousInternalConnections |
Process |
Connection |
Suspicious IP-to-Domain DNS queries |
dnsQueryToSuspiciousDomain |
Process |
DnsQueryResolvedIpToDomain |
Suspicious Unresolved Domain DNS queries |
unresolvedQueryFromSuspiciousDomain |
Process |
DnsQueryUnresolvedFromDomain |
Unresolved DNS not existing record |
unresolvedRecordNotExist |
Process |
DnsQueryUnresolvedFromDomain |
Unresolved domain DNS lookups |
unresolvedDnsQueriesFromDomain |
Process |
DnsQueryUnresolvedFromDomain |
Unresolved IP DNS lookups |
unresolvedDnsQueriesFromIp |
Process |
DnsQueryUnresolvedFromIp |
Unsigned with a signed version modules |
unsignedWithSignedVersionModules |
Process |
Module |
Unwanted classification modules |
unwantedClassificationModules |
Process |
Module |
Well Known Port External Connections |
wellKnownPortConnections |
Process |
Connection |
Proxy Element
The Features in the table below are available to connect the Proxy Element to other Elements, which is also displayed with these names:
Proxy
Proxies
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
IP address |
ipAddress |
Proxy |
IpAddress |
Host |
host |
Proxy |
DomainName |
Network interface (proxies) |
proxies |
NetworkInterface |
NetworkInterface |
Quarantine File Element
The Features in the table below are available to connect the Quarantine File Element to other Elements, which is also displayed with these names:
Quaratine File
Quarantine actions
Creation quarantine action
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Original file |
file |
QuarantineFile |
File |
Quarantined file |
quarantineFile |
QuarantineFile |
File |
Machine |
ownerMachine |
QuarantineFile |
Machine |
Registry Entry Element
The Features in the table below are available to connect the Registry Entry Element to other Elements, which is also displayed with these names:
Registry Entry
Registry Key
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Registry entry file |
dependInFile |
Autorun |
File |
File (registry key) |
autorun |
File |
File |
Process (registry key) |
autorun |
Process |
Process |
Automatic execution |
automaticExecution |
Autorun |
AutomaticExecution |
Remote Session Element
The Features in the table below are available to connect the Remote Session Element to other Elements, which is also displayed with these names:
Remote session
Remote session (user)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Client machine |
clientMachine |
RemoteSession |
Machine |
Server machine |
serverMachine |
RemoteSession |
Machine |
User |
user |
RemoteSession |
User |
Client |
client |
RemoteSession |
NetworkMachine |
Client logon session |
clientLogonSession |
RemoteSession |
LogonSession |
Processes |
processes |
RemoteSession |
Process |
Server |
server |
RemoteSession |
NetworkMachine |
Server logon session |
serverLogonSession |
RemoteSession |
LogonSession |
Resource Element
The Features in the table below are available to connect the Resource Element to other Elements, which is also displayed with these names:
Target resource associated with event
Parent resource
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Event |
relatedEvents |
Resource |
Event |
Resource |
parent |
Resource |
Resource |
Scheduled Task Element
The Features in the table below are available to connect the Scheduled Task Element to other Elements, which is also displayed with these names:
Scheduled task
Scheduled task (scheduled task actions)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Scheduled task (scheduled task actions) |
exectuableActions |
ExecutableTaskActions |
ScheduledTask |
Author |
author |
ScheduledTask |
User |
Files |
files |
ScheduledTask |
File |
Machine |
ownerMachine |
ScheduledTask |
Machine |
Scheduled Task Action Element
The Features in the table below are available to connect the Scheduled Task Action Element to other Elements, which is also displayed with these names:
Scheduled task action
Scheduled task action (executable)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Scheduled task actions |
executableActions |
ScheduledTask |
ExecutableTaskAction |
Processes |
processes |
ScheduledTask |
Process |
Author |
author |
ScheduledTask |
User |
Last modified by |
lastUpdatedBy |
ScheduledTask |
User |
Automatic execution |
automaticExecution |
ScheduledTask |
AutomaticExecution |
Machine |
ownerMachine |
ScheduledTask |
Machine |
Files |
files |
ScheduledTask |
File |
Service Element
The Features in the table below are available to connect the Service Element to other Elements, which is also displayed with these names:
Service
Service (binary file)
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Scheduled task actions |
executableActions |
ScheduledTask |
ExecutableTaskAction |
Processes |
processes |
ScheduledTask |
Process |
Author |
author |
ScheduledTask |
User |
Last modified by |
lastUpdatedBy |
ScheduledTask |
User |
Automatic execution |
automaticExecution |
ScheduledTask |
AutomaticExecution |
Machine |
ownerMachine |
ScheduledTask |
Machine |
Files |
files |
ScheduledTask |
File |
User Account Element
The Features in the table below are available for the User Account Element, which is also displayed with these names:
User
Author
Last modified by
Host user
Affected users
Target User Account
User accounts
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Processes |
processes |
User |
Process |
Organization |
organization |
User |
N/A |
Logon session (user) |
LogonSession |
User |
LogonSession |
Remote session (user) |
RemoteSession |
User |
RemoteSession |
Last machine logged into |
ownerMachine |
User |
Machine |
Malicious processes |
maliciousProcesses |
User |
Process |
Malicious tools |
maliciousTools |
User |
Process |
Owner machine |
ownerMachine |
User |
Machine |
Scheduled tasks created |
createdScheduledTasks |
User |
ScheduledTask |
Scheduled tasks modified |
updatedScheduledTaskss |
User |
ScheduledTask |
Suspicious processes |
suspiciousProcesses |
User |
Process |
User Identity Element
The Features in the table below are available to connect the User Identity Element to other Elements, which is also displayed with these names:
Performer user identity
Victim user identity
Source user identity for event
Target user identity for event
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Event |
eventSourceUserIdentity |
UserIdentity |
Event |
Event |
eventTargetUserIdentity |
User Identity |
Event |
User Account |
accounts |
UserIdentity |
User |
WMI Persistent Object Element
The Features in the table below are available to connect the WMI Persistent Object Element to other Elements, which is also displayed with these names:
WMI Persistent Object
Element to link to |
Feature |
Element Instance Type Field Value |
Second Element |
|---|---|---|---|
Owner machine |
ownerMachine |
WmiPersistentObject |
Machine |
Creating process |
creatingProcess |
WmiPersistentObject |
Process |
Client machine |
clientMachine |
WmiPersistentObject |
Machine |
Examples
Search for outgoing connections from a process with a hash
This query returns all connections from any process with an image file hash matching the string d4149106f22. The first item filters processes with the specified hash, and defines the relationship to the next element through the Feature Connections on the process Element type. The connection Feature is used to point the system on what Feature the relationship between a process and its connections is defined. This is particularly important in cases of ambiguity for Element type alone (e.g. process –> child processes as opposed to process –> parent processes). The second item is then specified to filter only outgoing connections and return them as the result of the query (by specifying result:true).
{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "imageFileHash",
"values": [
"d4149106f22"
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "connections"
}
},
{
"requestedType": "Connection",
"filters": [
{
"facetName": "isOutgoing",
"values": [
true
]
}
],
"result": true
}
]
}
Search for files that have an associated driver
This query returns all files that have a driver. The first item defines the relationship between files and drivers. Note that the Feature file is defined on the driver Element type, so the relationship is reversed. The second item has no filters and only specifies that we are looking for drivers. The result is a list of files because the item is marked result:true.
The second item is required in order for the system to know it has to filter files from the first item. The connection Feature alone is not enough as it only serves a pointer to the feature on a file element where drivers are referenced. The second item actually adds the files with a driver filter to the chain.
{ "queryPath": [ { "requestedType": "File", "connectionFeature": { "elementInstanceType": "Driver", "featureName": "file" }, "isReversed": true, "result": true }, { "requestedType": "Driver" } ] }
Search for all child process
{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "elementDisplayName",
"values": [
"cmd.exe"
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "children"
}
},
{
"requestedType": "Process",
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "connections"
},
"result": true
},
{
"requestedType": "Connection",
"filters": [
{
"facetName": "isOutgoing",
"values": [
true
]
}
]
}
]
}