Spyderbat
Book a DemoStart FreeContact Us
  • Spyderbat Product Docs
  • Getting Started
    • Create an Organization
    • Install the Nano Agent
    • Three Things to Try with Spyderbat Community Edition
    • Manage Users and Roles
  • Installation
    • Spyderbat Nano Agent
      • Kubernetes
        • Pre Deployment Environment Data Collection Script
      • Linux Standalone
      • AWS Unattended Install
        • Secure your Registration Code with AWS Secrets Manager
      • Create a Golden Image with the Nano Agent Pre-Installed
    • Spyderbat AWS Agent
      • AWS Linux VM
      • Kubernetes
      • Configuration Guide - AWS Linux VM
      • Configuration Guide - Kubernetes
    • Install Spyctl CLI
      • Initial Configuration
    • Install Spydertop CLI
    • Install the Spyderbat Event Forwarder
      • Helm Chart
      • Traditional Installer
  • Concepts
    • Guardian & Interceptor
      • Ruleset Policies
      • Workload Policies
    • Flashback (Go Back In Time)
      • Investigations
    • Search
      • Saved Searches
    • Summarize
      • Spydertrace Summarize
    • Dashboards
      • Dashboard Categories
    • Reports
    • Notifications
      • Notification Targets
      • Notification Templates
    • Actions
    • Integrations
      • AWS Integration
      • Spyderbat Event Forwarder
    • Suppression & Tuning
    • Scout (Detections)
      • Custom Flags
  • Tutorials
    • Flashback
      • How to Use the Investigations Feature in Spyderbat
    • Guardian
      • How to Lock Down Your Workloads With Guardian Policies Using Spyctl
      • How to Put Guardrails Around Your K8s Clusters Using Spyctl
    • Integrations
      • How to Configure Event Forwarder Webhook for Panther
      • How to Set Up Spyderbat to Ingest Falco Alerts
      • How to Create and Use a Spyderbat API Key
    • Notifications
      • How to Set Up Notifications Using Spyctl
      • How to Set up Agent-Health Notifications Using Spyctl
    • Dashboards
    • Miscellaneous
      • How to Set Up Spyderbat to Monitor Systems From vulnhub.com
    • Scout (Detections)
      • How to Set Up Custom Flags Using Spyctl CLI
  • Reference
    • Policies
      • Response Actions
    • Rulesets
    • Selectors
    • Notifications
    • Spyctl CLI
      • Spyctl Commands
      • Guardian Policy Management using Spyctl
      • Notification Template Management using Spyctl
      • Notification Target Management using Spyctl
    • Search
      • All Operators
      • All Fields
      • All Related Objects
  • Quick Links
    • Contact Us
    • Try Spyderbat for Free
    • Book a Demo
Powered by GitBook

© SPYDERBAT, Inc., All Rights Reserved

On this page
  • 1) Look at the last hour of activity
  • 2) View Your Own Activity
  • 3) View Your First Flag
  • Other Things to Try

Was this helpful?

Export as PDF
  1. Getting Started

Three Things to Try with Spyderbat Community Edition

Review your security monitoring scope, trace your own activity at runtime, and validate detected suspicious activity via Spyderbat flags.

Last updated 1 year ago

Was this helpful?

Published: August 22, 2021

OK, you installed your first Spyderbat Nano Agent (). Now what?

1) Look at the last hour of activity

If you just installed the Spyderbat Nano Agent, you will see the system as a source on the Sources screen.

On the left, click “View Spydertrace”. This will query the last hour of activity from that system.

2) View Your Own Activity

Do you still have a terminal open from when you installed the agent? If not, log back into the system you installed the agent on.

Run some simple Linux commands;

>clear
>id
>ls -la
> cat .profile
> whoami
> exit

Let’s jump back to the Spyderbat investigate screen.

Under Search, click on the End Time, select the ‘Now‘ button to update the End Time to the current time, and then select the ‘Run New Search‘ button.

That query brought in records for the requested time period as a new Data Layer.

Look in the Records table, under the Sessions tab. Can you find your recent session? Click on the ‘Star‘ to the right of the Session Record to see what it looks like in the Causal Tree.

The session in the above screen shot shows my session using a bash shell. Notice I was logged in as ec2-user. By right-clicking on the bash shell process node in the graph, select “add children” .

The Causal Tree updates to displays all commands (and processes) that are immediately causally connected to the bash shell. I also see the processes selected in the records table when I view the Records table Process tab.

By selecting the ‘cat’ node in the Causal Tree or process name in the Records table, the Details panel provides additional details such as the filename, the working directory, environment variables, and more!

3) View Your First Flag

Do you recall running the ‘whoami’ command? In our Causal Tree, it is annotated with a little flag.

Select the ‘whoami’ node in your Causal Tree to view more information from the Details panel.

Flags are not the same as alerts. Flags color your Causal Tree with interesting information. The source of a Flag can be third-party alerts as well as other context sources. Spyderbat continuously overlays key security and other context as Flags as they occur.

A single Flag with no causal outcomes is a characteristic of a false positive. A trace of interest will usually include multiple Flags and multiple layers of activity. By viewing alerts and context as Flags, the Causal Tree shows you exactly how they are related, the sequence of activities, and any other activity causally connected.

Other Things to Try

Here are some other great things to try with your Spyderbat Community Edition:

  • Have a colleague do some basic admin tasks on a system that has the Spyderbat Nano Agent installed, see if you can figure out what they did in Spyderbat and compare notes with them.

  • Stand up a honeypot or similar system on the internet that can be easily exploited to see what Spyderbat captures!

  • Want to bring in the rest of the team? Try a red team/blue team exercise where the red team attacks a set of Linux systems, and the blue team defends using Spyderbat!

Thank you and happy tracing!

If you haven’t already, check out the . Challenges are quick exercises that allow you to explore and learn about real attacks in a very fun way

Install Spyderbat on a Vulnhub VM from (see Spyderbat Blog – ) and hack it, and see what Spyderbat shows. Many of the vulnhub images have walkthroughs if you are not an experienced pentester.

Defend The Flag challenges
vulnhub.com
How to Setup Community Edition to Monitor Systems from Vulnhub
How-to Install the Spyderbat Nano Agent
simple Linux commands
Spyderbat investigate screen
View Spydertrace
whoami node in Causal Tree