It would be extremely useful if the BigFix Labs ‘Client Relevance Builder’ functionality was added to WebUI (Query) so users who aren’t experts at creating relevance can build their own IOC specific queries if a template is unavailable.
The relevance builder would, as a minimum need to include File, SHA, Process, Registry, Services inspectors but the more the better.
Use case : SOC operators are hunting down an IOC but the templates provided in Query only allows for individual queries to be run. If they had the flexibility to build and search for a file with a specific hash and reg key/value, that would be a huge value add.
An example would be something like this -
exists running application “badapp.exe” AND exists file “myfile.exe” whose (sha1 of it = “9d749c3cfdc4fbacb4190e7bec892094e5a3f65a”) of folder “C:\Temp\Test” AND (exists keys “HKLM\Software\MyCompany\Test” whose (exists values whose(name of it = “IOC” AND it as string as lowercase = “True” as lowercase ) of it) of registry)
Whilst I appreciate this content can be developed manually, a client relevance builder would reduce user error, and make the process for hunting extremely flexible and easy
I’m on mobile and can’t check, but I thought that there was a role in WebUI already that let you make new template queries, including creating your own parameters. You can then share those with other WebUI users in your environment.
@alinder - you can create queries with parameters and share, what I am requesting is to provide the ability to users with limited content authoring skills to build there own queries based on whatever information they can gather from the indicator.
In my example, that would be the equivalent of 4 queries joined with AND’s …
Honestly that sounds rather dangerous. Inappropriate, malformed, or inefficient queries could significantly impact performance for both Bigfix as well as the endpoints themselves.
@JonL A relevance builder would mitigate the risks of creating malformed and/or inneficient queries. I would like to assume the tool would have the neccesary controls to allow visibility/use.
Another option would be to provide functionality to allow predefined templates to be joined with AND’s and OR’s …just thinking out loud here.
I understand what you’re getting at, but just playing devil’s advocate to tease out potential issues.
Even a query that is formed technically correctly, such as a file search on the clients drive, can have adverse impact.
Scenario: Well meaning security folks create a list of items they want to search for. The syntax is correct, but the number of queries and/or targets could bog down disk performance. If endpoints are using a SAN for storage, all machines querying simultaneously could crush the backend.
Totally agree. I have been discussing this with some IBM/BigFix developers, and they believe that they can design this in such a way to mitigate/limit the risk. I still think this functionality would take Query functionality to the next level, and would knock the socks off its competitors.