Spyderbat
Book a DemoStart FreeContact Us
  • Spyderbat Product Docs
  • Getting Started
    • Create an Organization
    • Install the Nano Agent
    • Three Things to Try with Spyderbat Community Edition
    • Manage Users and Roles
  • Installation
    • Spyderbat Nano Agent
      • Kubernetes
        • Pre Deployment Environment Data Collection Script
      • Linux Standalone
      • AWS Unattended Install
        • Secure your Registration Code with AWS Secrets Manager
      • Create a Golden Image with the Nano Agent Pre-Installed
    • Spyderbat AWS Agent
      • AWS Linux VM
      • Kubernetes
      • Configuration Guide - AWS Linux VM
      • Configuration Guide - Kubernetes
    • Install Spyctl CLI
      • Initial Configuration
    • Install Spydertop CLI
    • Install the Spyderbat Event Forwarder
      • Helm Chart
      • Traditional Installer
  • Concepts
    • Guardian & Interceptor
      • Ruleset Policies
      • Workload Policies
    • Flashback (Go Back In Time)
      • Investigations
    • Search
      • Saved Searches
    • Summarize
      • Spydertrace Summarize
    • Dashboards
      • Dashboard Categories
    • Reports
    • Notifications
      • Notification Targets
      • Notification Templates
    • Actions
    • Integrations
      • AWS Integration
      • Spyderbat Event Forwarder
    • Suppression & Tuning
    • Scout (Detections)
      • Custom Flags
  • Tutorials
    • Flashback
      • How to Use the Investigations Feature in Spyderbat
    • Guardian
      • How to Lock Down Your Workloads With Guardian Policies Using Spyctl
      • How to Put Guardrails Around Your K8s Clusters Using Spyctl
    • Integrations
      • How to Configure Event Forwarder Webhook for Panther
      • How to Set Up Spyderbat to Ingest Falco Alerts
      • How to Create and Use a Spyderbat API Key
    • Notifications
      • How to Set Up Notifications Using Spyctl
      • How to Set up Agent-Health Notifications Using Spyctl
    • Dashboards
    • Miscellaneous
      • How to Set Up Spyderbat to Monitor Systems From vulnhub.com
    • Scout (Detections)
      • How to Set Up Custom Flags Using Spyctl CLI
  • Reference
    • Policies
      • Response Actions
    • Rulesets
    • Selectors
    • Notifications
    • Spyctl CLI
      • Spyctl Commands
      • Guardian Policy Management using Spyctl
      • Notification Template Management using Spyctl
      • Notification Target Management using Spyctl
    • Search
      • All Operators
      • All Fields
      • All Related Objects
  • Quick Links
    • Contact Us
    • Try Spyderbat for Free
    • Book a Demo
Powered by GitBook

© SPYDERBAT, Inc., All Rights Reserved

On this page
  • The Spyderbat Investigation UI
  • Search
  • Records
  • Causal Tree
  • Details

Was this helpful?

Export as PDF
  1. Concepts
  2. Flashback (Go Back In Time)

Investigations

Overview of the Process Investigation section, including the causal graph, records table, details section with all the metadata captured by the Nano Agent.

Last updated 1 year ago

Was this helpful?

Published: August 24, 2021

To view corresponding video, click .

The Spyderbat Investigation UI

In the Spyderbat interface, notice the left-hand navigation menu.

Click on “Investigate” to enter the investigation area of the product.

Under the investigate header are toggles turning on or off the various components of the investigate screen.

Search

The search area allows you to query for records, or all of the information Spyderbat has gathered, for one or more systems over the selected time frame.

Here we see that we have a 1 hour query for a machine. Selecting the drop-down under ‘Hosts‘ allows you to query a different machine for the same time period.

You’ll notice that by running a new search results in a new data layer. A data layer is similar to the concept of layers in something like Adobe Photoshop, it allows you to bring in records or information for different times and for different systems, or from search or dashboards – and toggle those datasets on or off for analysis.

Records

The Records table below the data layers acts on the data layers that you have enabled. While you can broadly filter data by enabling/disabling data layers, filtering Records allows for finer-grain views into the data set.

For example, type in an IP address where it says ‘Filter’ and click “Save” to filter down to all records related to that IP.

You can also use field-based filtering and “facets” to look for that IP.

For example, click on ‘Filter’ and scroll down the field-based names to find ‘remote_ip’ to see a list of all remote IP addresses included in the enabled data layers (if any).

Once we have narrowed down to a set of records of interest, we can plot these on the causal graph by selecting the ‘Star‘ icon to the right of the record.

Select the ‘Flag’ facet. Flags are often a great place to start – they provide interesting security context information that can be overlaid onto the Causal Tree. Use the “add all” button to add all Flags at once to the Causal Tree.

Causal Tree

Looking at the causal tree on the right-hand side is a very powerful way to view the causal connections of the underlying data.

  • S nodes represent systems

  • P nodes represent processes

  • C nodes represent connections, which can relate to other connection nodes or to or from remote IPs and ports.

The Causal Tree displays all the causal activity leading to and following an event, such as an alert I am investigating.

The grey badges to the right of a node on the Causal Tree show changes in the effective user, or the effective rights of the user when performing tasks. This provides an immediate visual indication of the effective user’s privileges when executing commands.

Using your mouse scroll bar or icons on the screen, zoom in and out of the Causal Tree.

Select a node by left-clicking with your mouse to see additional details in the Details panel, or right-click to add or remove information from the Causal Tree.

Tip – You can clear the graph with the trashcan icon, and the undo and redo buttons are very handy!

Details

The Details panel below the graph allows us to drill into details for nodes we’ve selected from the Causal Tree or Records table. Details include useful, context-based information about the selected node and its relationships to other nodes.

Here we can see the time this process ran, the command line, environment variables and much more, and any related information like flags or associated connections.

That’s a whistle-stop tour of Spyderbat investigations, we’ll go deeper into the investigation components in other videos and show how you can start or add to an existing investigation using dashboard and search capabilities.

Thank you and Happy Tracing!

Click here for a tutorial on using the Causal Tree in Investigations.
HERE
Spyderbat records
Spyderbat search
Spyderbat details
Spyderbat interface left-hand navigation