EchoTrail Insights - Advanced Search
This guide will introduce you to EchoTrail Insights Advanced Search - a powerful new search capability for our EchoTrail Insights tool. It can help identify trends, outliers, and other useful analytics on endpoint process behavior. This can be used by threat hunters, detection engineers, and many other security professionals to:
- discover useful starting points for hunt operations
- identify baselines for new detections
- gain context on average behavior of system processes
Advanced Search is a paid EchoTrail Pro feature.
Getting Started
Advanced search requires a Pro account which can be purchased here. Once you have a Pro account, you can navigate directly to the Insights Dashboard and use our Search Help dropdown to test some example queries.
To learn more about Advanced Search, its syntax, and commands - read on!
The Search Syntax
Advanced Search syntax follows linux pipe style command chaining using a pipe ( | ) to output results of one query to the input of the next query. For example:
path=C:\Windows\System32 | count parents = 1
path=C:\Windows\System32 | count parents = 1
The above command searches for all filenames and hashes that match the "C:\Windows\System32" path - then filters for processes that only have 1 parent identified.
There are currently 2 supported search types and 1 command:
- raw string search
- field search
- count command
Search Types
All search types can be chained together in any combination, except for "Raw String". This search command is only available as the initial search, and not after a pipe.
Raw String
A raw string search can contain any string, with 0 or more wildcards (*). It will search several areas of our database, including filenames and descriptions. However it will not search all fields - to ensure a particular field is searched, you should use the field search type.
Examples
Search for an exact match of the string "cmd.exe":
cmd.exe
cmd.exe
Search for any string starting with "Win":
Win*
Win*
Field Search
A field search allows you to search for a match in a specific property of a process. Wildcards (*) are allowed. Only allows use of "=" operator for string fields.
rank is the currently the only numeric field - and so the additional comparison operators of <, <=, >, >= may be used.
Searchable Fields:
- filename
- sha256
- md5
- path
- parent
- child
- grandparent
- network_port
- description
- intel
- tags
- rank (number)
- prevalence
Examples
Search for all processes that have "services.exe" as a parent:
parent = services.exe
parent = services.exe
Search for all processes that have rank less than 50:
rank < 50
rank < 50
Search Commands
Must always follow at least one search type in order to have output to operate on.
Count
The count command lets you sum a list-based field, such as children or ports, in order to search for fields of a particular length. Currently the count command can only be used against the following fields:
- path(s)
- parent(s)
- child(ren)
- grandparent(s)
- network_port(s)
count outputs a numeric value - and so the comparison operators of =, <, <=, >, >= may be used.
Examples
Search for processes that launch from path C:\Windows\System32 and only have one identified parent:
path = C:\Windows\System32 | count parents = 1
path = C:\Windows\System32 | count parents = 1
Search for processes launched from cmd.exe that open one or more ports:
parent = cmd.exe | count network_port > 1
parent = cmd.exe | count network_port > 1