Example Queries

Example queries

Search by object features

object imphash (import table hashing)

object.imphash == "b16bcf5735b87c18d20979fe59477f11"

object first seen time

object.global_first_seen_time.after(timestamp("1972-01-01T10:00:20.021-05:00"))

Search by YARA rule name

rule.name == “thing”
rule.name.matches("Mutation")
rule.name.matches("APT34")
rule.name.matches("XOR")
rule.name.matches("(XOR)|(MS13_098)")

Search by environment ID

rule.environment_id == “123456-ABCDEF-789012-GHIJKLMN”
object.environment_id == “123456-ABCDEF-789012-GHIJKLMN”

Search by Authenticode

object.authenticode_verification_result == “VALID”
object.authenticode_verification_result == “INVALID”
object.authenticode_verification_result == “UNSUPPORTED”

Search by network

Hostname

net.hostname.matches("workers.dev")

IP address (can include CIDR notation)

net.ip == "1.2.3.4/24"

Search with combinations

object.authenticode_verification_result == “VALID” && object.environment_id != “4G52XG-LZUBD8-44ZBE3-5KFTJ8WN”


How to go beyond the basics

There are ways you can expand on combinations and the anomalies you're looking for.

You can take a different approach by searching for objects that have statically or dynamically-extracted network information. For example, because binaries using libcurl have the string curl.haxx.se in them, you can go to the Objects view to find objects that contain that value using:

net.hostname == "curl.haxx.se"