Using Spyderbat Search to Start or Add to an Investigation
Updated: Aug 24, 2021
Searching for any activity to initiate an investigation is available by clicking on 'Search' in the left-hand navigation.
Spyderbat's Search scans for activities across all systems with an installed Nano Agent within the specified time period. Search criteria supports Lucene syntax, including boolean operators like AND,OR,NOT, range queries and named field search.
As an example, click on 'Search' from the left-navigation and type a simple wildcard “*” to get back all results over the last 24 hours.
Review the search results. You can see the different types of object returned, similar to the Records table in Investigate, and can navigate the different object types by clicking on the tabs in the search results table.
Click on the three dots next to a column. You can sort and filter the column. You can also move, add, and remove columns from your view by selecting 'Show Columns'.
With the correct user permissions, you can save your search as a Dashboard Card. This will provide a running window of any search results based on the time period specified on the Dashboard. It will also allow you to return back to the Search criteria to edit or re-run the search with different criteria or time ranges.
Tip - On the Dashboard, by clicking on "Run in Search" you will expose Spyderbat's common fields. For example, running the Dashboard card "Recent SSH Sessions" exposes fields for SSH sessions created - “schema:model_session AND interactive:true AND spath:*sshd”
By selecting one or more search results across any of the facets, you can initiate an Investigation with the underlying data.
The search results will appear as a single Data Layer in your Investigation.
What if you are already in an investigation and want to pivot to bring in additional information?
If you have already began an investigation, selecting 'Search' will not lose your place. The state of the existing investigation will remain intact as long as your browser stays alive and you have not started a new Investigation.
From Investigate, click on Search and create a new search. Select from your search results. You are provided with the options "Add to Existing Investigation" or "Start Investigation". By selecting 'Add to Existing Investigation" the results will be added as a new Data Layer.
Note - You can save your current state of your Investigation by selecting the "Copy Investigate Link" option.
Thank you and happy tracing!