If you have not traversed the XDR journals, please review the rich data journals we are logging on our endpoints and servers. This data is available for the last 90 days on agent. You can create your own queries, but in this post, we are going to start the New Year out by focusing on what ships with the product. SQL can be daunting at first, but with designer mode disabled, it allows the security administrator to see reports based on the query description.
This post will focus on a Live Discover Query, under the Network category, called "Processes with an open network connection."
You must have XDR enabled in your environment. We do not need designer mode enabled.
Over time, the platform will report on the expected system impact, data transferred, and execution time. Do not be alarmed if this is empty.
The results will give any security administrator insight into their active connections. Quick reports like this can expose "shadow IT" programs and connections that are not authorized.
Results Breakdown:
Understanding static scoring
"Pivoting" is taking a portion of the data in the report to investigate further. If you discovered that the ScreenConnect software highlighted in the screenshot should not be installed, you may use a column like "sha256" to query where else it is present. Pivoting may call upon one or more queries to answer questions you have. The "pivots" will open a new tab for your investigation. Other options include scanning the device, Live Response control, or using one of the enrichment data connectors to find out more information.
You can setup a free account at https://ipstack.com if you want to see how to add in your own API source.
Happy querying!
-jk