This document provides the release notes for the Q4 2015 Enhanced Query feature update for the Symantec Managed Security Services (MSS) portal.
Several new features and enhancements have been made available to customers as part of the Q4 2015 Enhanced Query feature update. The primary purpose of this feature update is to deliver incremental improvements to the Enhanced Query tool as suggested by MSS customers, and to make the log query tool both more intuitive to use, and easier to re-use, for customers’ security analysts that may be used to conducting log searches and incident investigations with on premise SIEM tools.
Barriers to Effective and Efficient Querying
Customer’s security analysts (especially when new) cannot easily search logs when they do not understand how log data is normalized
Customer’s security analysts have no ability to share queries with others in their organization
Limitations on Data Exploration
Log query interface provides log line results of queries but tells customers nothing about how results relate to the rest of their log data
Customers unable to view summary of log query results graphically
Performance and Scalability
Queries with long lists of binary values (e.g. IP addresses) have long execution times and consume excessive resources
Customer Problem: An organization’s security analyst may need to run a search on their log data to find events related to a particular term, but may not know where to start when it comes to the log fields in which the term may appear.
Solution: With Simple Search, the analyst may enter a search term without first specifying a field or fields to be searched, and the timeframe in which logs should be searched. The tool will automatically choose the most likely fields in which the search terms may be found, and return a bar chart that shows in which fields the search term occurred most frequently. From the chart returned by Simple Search, customers may drill-down into the search results.
Figure 1 - Simple Search Interface
From the chart returned by Simple Search, customers may drill-down into the search results and view the contents of the logs that are part of the selected result set.
Figure 2 - Example of Simple Search Results
Customer Problem: In the course of searching through log data, an organization’s security analyst may be unaware of relationships between a search term and other frequently occurring results in the query results, which could cause them to miss an important connection in the course of an incident investigation.
Solution: With Query Pivot, a count by field of unique values returned in each field for the query result set is displayed to the left of the main query results, allowing the analyst to quickly recognize patterns or connections that they might not otherwise see. The analyst may click through any returned value to immediately refocus the query.
Figure 3 - Example of field drill-down into Query Pivot pane
File Hash Search
Customer Problem: In the course of an incident investigation, an organization’s security analyst may need to quickly identify instances where a file hash value (or values) may have been recorded in logs, in order to identify the extent of an infection or outbreak, or to locate systems that may be compromised by a particular piece of malicious code.
Solution: With the addition of MD5, SHA1, and SHA256 file hash fields being searchable by the Enhanced Log Query tool, the analyst will be able to quickly query logs for occurrences of a file hash value (or values, using user defined lists).
Figure 4 - File Hash Search
Customer Problem: An organization with multiple security analysts needs to be able to share queries among their analysts, so that each analyst can re-use and build on other analyst’s queries.
Solution: With Query Sharing, analysts can choose to share their saved queries within their organization or sub-organization.
Figure 5 - Query Sharing Interface
Customer Problem: During the course of an investigation, an organization’s security analyst may need to “step back” through query results, so that they can quickly recall queries that were run hours, days or weeks ago, and potentially modify the query criteria to continue an investigation.
Solution: With Query History, an analyst’s query history is maintained on the right side of the screen to enable quick “step back”, and the analyst’s full query history from the last 30 days is accessible from a Query History search capability.
Figure 6 - Query History Interface
Performance Improvements: Improve the performance of complex queries that involve IP addresses and URLs.
For customers using Microsoft Internet Explorer versions 10 and 11, chart labels on line graphs may occasionally overlap. There is no known workaround for this issue at this time.
Things to Know
If you would like a demonstration of these new Enhanced Query features, or to log a product suggestion regarding log querying in the MSS portal, please contact your MSS Service Manager.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.