Find Processes with Connections Transmitting Large Amounts of Data
This topic provides a step by step example of how you can use the API to run a query to search for processes with connections that transmit a high volume of data.
In this topic:
Step 1: Plan your queries
To create queries that return meaningful results, you must plan your queries carefully:
Enumerate in a general way what you want to find, such as computers or processes.
Determine the indicators you will use to identify your target, such as a specific operating system. Write an explicit statement of your query.
For detailed documentation on planning and building your queries, see the Hunting and Investigation documentation in the Cybereason core documentation.
For our example queries, we can write the following statement: I want to find processes that open connections and in which the connections are transmitting a large amount of data.
With this statement we can build a query in the Investigation screen.
Step 2: Build your queries in the Investigation screen
A query in the Investigation screen has two parts:
Elements are the objects you want to find, or the computing component parts of the your statement.
Features, or filters, are the indicators that identify the target.
In this example, you build this query:
Process Element
Connection Element
Add a filter on the Connection Element for High Volume of Data Transmitted is True
Step 3: Run your queries and generate the API request body
In Chrome, open Chrome DevTools.
In the Cybereason Investigation screen, click Get results.
After the query has finished running, select the Network tab in Chrome DevTools, and then select the relevant request.
In the Request Payload section in the lower part of the window, copy the entire request payload. You will use this in the request body for API request.
Step 4: Build and send the API request
Use the relevant cURL command, request body example, or Python script.
In this example, we are using a stand-in address for a Cybereason server (myserver.com). If you use this request, replace this address with your actual server address.
All Python examples are formatted for Python version 3.0 and higher, up to the latest Python version. If you are using versions of Python earlier than 3.0, ensure you manually remove parentheses for the print statements in this sample. For example, the print (response.content) statement updates to print response.content.
curl --request POST \
--url https://myserver.com/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath":[
{
"requestedType":"Process",
"filters":[],
"connectionFeature":
{
"elementInstanceType":"Process",
"featureName":"connections"
}
},
{
"requestedType": "Connection",
"filters": [
{
"facetName":"absoluteHighTransmittedBytesEvidence",
"values":[true]
}
],
"isResult":true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields":
[
"elementDisplayName",
"direction",
"ownerMachine",
"ownerProcess",
"aggregatedReceivedBytesCount",
"aggregatedTransmittedBytesCount",
"calculatedCreationTime",
"endTime"
]
}'
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this as the request body:
{
"queryPath": [
{
"requestedType": "Process",
"filters": [],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "connections"
}
},
{
"requestedType": "Connection",
"filters": [
{
"facetName": "absoluteHighTransmittedBytesEvidence",
"values": [
true
]
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"direction",
"ownerMachine",
"ownerProcess",
"aggregatedReceivedBytesCount",
"aggregatedTransmittedBytesCount",
"calculatedCreationTime",
"endTime"
]
}
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Process"
linking_element = "Process"
linking_feature = "connections"
query_element_2 = "Connection"
query_element_2_filter = "absoluteHighTransmittedBytesEvidence"
query = json.dumps({"queryPath": [{"requestedType":query_element_1,"filters":[],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_2_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","direction","ownerMachine","ownerProcess","aggregatedReceivedBytesCount","aggregatedTransmittedBytesCount","calculatedCreationTime","endTime"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Step 5: Run your request and generate the response
In the command line, REST API client, or IDE, run the command or script that contains the request. After a few seconds, the Cybereason API returns a response.
Step 6: Evaluate the response
The response contains a large number fields. Focus on these fields for meaningful information:
Example
In our example, the platform response includes the following fields:
{ "data": { "resultIdToElementDataMap": { "-1304188264.-874147594075097554": { "simpleValues": { "endTime": { "totalValues": 1, "values": [ "1538512886832" ] }, "aggregatedTransmittedBytesCount": { "totalValues": 1, "values": [ "286047059" ] }, "calculatedCreationTime": { "totalValues": 1, "values": [ "1538512887866" ] }, "direction": { "totalValues": 1, "values": [ "OUTGOING" ] }, "aggregatedReceivedBytesCount": { "totalValues": 1, "values": [ "60112062" ] }, "elementDisplayName": { "totalValues": 1, "values": [ "172.16.50.55:49789 > 34.192.67.124:8080" ] } }, "elementValues": { "ownerMachine": { "totalValues": 1, "elementValues": [ { "elementType": "Machine", "guid": "-1304188264.1198775089551518743", "name": "WIN7-64B-ADMIN", "hasSuspicions": false, "hasMalops": false } ], "totalSuspicious": 0, "totalMalicious": 0, "guessedTotal": 0 }, "ownerProcess": { "totalValues": 1, "elementValues": [ { "elementType": "Process", "guid": "-1304188264.1417219223781112053", "name": "activeconsole.exe", "hasSuspicions": false, "hasMalops": false } ], "totalSuspicious": 0, "totalMalicious": 0, "guessedTotal": 0 } }, "suspicions": {}, "filterData": { "sortInGroupValue": "-1304188264.-874147594075097554", "groupByValue": "IpAddressRuntime:0.-8269605951501086514 address=1.2.3.4 , " }, "isMalicious": false, "suspicionCount": 0, "guidString": "-1304188264.-874147594075097554", "labelsIds": null, "malopPriority": null, "suspect": false, "malicious": false } }, "suspicionsMap": {}, "evidenceMap": {}, "totalPossibleResults": 1, "guessedPossibleResults": 0, "queryLimits": { "totalResultLimit": 1000, "perGroupLimit": 100, "perFeatureLimit": 100, "groupingFeature": { "elementInstanceType": "Connection", "featureName": "remoteAddress" }, "sortInGroupFeature": null }, "queryTerminated": false, "pathResultCounts": [ { "featureDescriptor": { "elementInstanceType": "Process", "featureName": null }, "count": 1 }, { "featureDescriptor": { "elementInstanceType": "Process", "featureName": "connections" }, "count": 1 } ] }, "status": "SUCCESS", "message": "" }