This document provides the release notes for the Q4 2015 Enhanced Query feature update for the Symantec Managed Security Services (MSS) portal.
Several new features and enhancements have been made available to customers as part of the Q4 2015 Enhanced Query feature update. The primary purpose of this feature update is to deliver incremental improvements to the Enhanced Query tool as suggested by MSS customers, and to make the log query tool both more intuitive to use, and easier to re-use, for customers’ security analysts that may be used to conducting log searches and incident investigations with on premise SIEM tools.
Customer Problem: An organization’s security analyst may need to run a search on their log data to find events related to a particular term, but may not know where to start when it comes to the log fields in which the term may appear.
Solution: With Simple Search, the analyst may enter a search term without first specifying a field or fields to be searched, and the timeframe in which logs should be searched. The tool will automatically choose the most likely fields in which the search terms may be found, and return a bar chart that shows in which fields the search term occurred most frequently. From the chart returned by Simple Search, customers may drill-down into the search results.
From the chart returned by Simple Search, customers may drill-down into the search results and view the contents of the logs that are part of the selected result set.
Customer Problem: In the course of searching through log data, an organization’s security analyst may be unaware of relationships between a search term and other frequently occurring results in the query results, which could cause them to miss an important connection in the course of an incident investigation.
Solution: With Query Pivot, a count by field of unique values returned in each field for the query result set is displayed to the left of the main query results, allowing the analyst to quickly recognize patterns or connections that they might not otherwise see. The analyst may click through any returned value to immediately refocus the query.
Customer Problem: In the course of an incident investigation, an organization’s security analyst may need to quickly identify instances where a file hash value (or values) may have been recorded in logs, in order to identify the extent of an infection or outbreak, or to locate systems that may be compromised by a particular piece of malicious code.
Solution: With the addition of MD5, SHA1, and SHA256 file hash fields being searchable by the Enhanced Log Query tool, the analyst will be able to quickly query logs for occurrences of a file hash value (or values, using user defined lists).
Customer Problem: An organization with multiple security analysts needs to be able to share queries among their analysts, so that each analyst can re-use and build on other analyst’s queries.
Solution: With Query Sharing, analysts can choose to share their saved queries within their organization or sub-organization.
Customer Problem: During the course of an investigation, an organization’s security analyst may need to “step back” through query results, so that they can quickly recall queries that were run hours, days or weeks ago, and potentially modify the query criteria to continue an investigation.
Solution: With Query History, an analyst’s query history is maintained on the right side of the screen to enable quick “step back”, and the analyst’s full query history from the last 30 days is accessible from a Query History search capability.
Performance Improvements: Improve the performance of complex queries that involve IP addresses and URLs.
For customers using Microsoft Internet Explorer versions 10 and 11, chart labels on line graphs may occasionally overlap. There is no known workaround for this issue at this time.
If you would like a demonstration of these new Enhanced Query features, or to log a product suggestion regarding log querying in the MSS portal, please contact your MSS Service Manager.