Signal is created but no data when clicking on Workbook

Hi,

a signal is created and displayed with suspect & host (Suspicious Remote Desktop Network Activity) or just a suspect (Detect Outlook exe writing a zip file). But when we then click on the Workbook in the signals/pending review screen & execute the workbook the query returns no data around 50% of the time.

This happens for different data streams (e.g. firewall, sysmon-process). The retention time is set to 90 days, the signals we tested are in a timeframe of 01.07.2021 to today. There is more than enough storage left on disk. When we search the relevant stream in the timeframe a signal was created there is data returned. If we then however filter the data matching the querie that initially created the signal we again don’t get anything returned.

What could cause this?

Kind Regards
Jonas

Hey Jonas,

I’m expecting that you have followed the “Minimum requirement” and “Before you begin” to deploy the setup.

Signals help us look up within multiple attack vectors, signals are triggered via Workbooks i.e. as per the logic set in its query. On executing a query via a workbook and if there are any threat-related data such as types of attacks, a signal will be triggered, alerting us with relevant intel.

I would suggest checking out the below troubleshooting document which will help you to diagnose the issue.

Troubleshooting Signals

Regards,
Flash

Hi Flash,

the minimum requirements are met, Signals are getting created, queries return data without any problem. But when we click on the workbook on a signal the workbook does not return data (for some signals created from the same workbook we are able to get results, we always get results for other workbooks):

We just investigated further:

  1. Signal: Suspicious Remote Desktop Network Activity is created (Suspect: 10.191.87.18 Target: 10.191.80.22)
  2. If we then click on the workbook no data is returned (see the screenshot above)
  3. If we then change the workbook rule to no longer include “HAVING COUNT(*)>2”
    SELECT $SrcIP, $DstIP, COUNT(*) FROM FIREWALL WHERE $DstPort=3389 AND NOT $SrcIP=‘10.191.80.188’ GROUP BY $SrcIP,$DstIP LIMIT 100
    we get the relevant event returned:

BUT: the Count is only “2” → the workbook query however is “SELECT $SrcIP, $DstIP, COUNT(*) FROM FIREWALL WHERE $DstPort=3389 AND NOT $SrcIP=‘10.191.80.188’ GROUP BY $SrcIP,$DstIP HAVING COUNT(*)>2 LIMIT 100” → it should only create a signal if the count is more than 2.

Regards,
Jonas

Hi Jonas,

Can you please try increasing the duration in the workbook query. So, that you will get the required results for the same.

Regards,
Mark

Hi Mark,

thank you - I manually increased the time frame and like you suspected we got the events.

When clicking on the Signal-Page to get to the workbook the “Time travel”-timeframe is set automatically. Can we get this to be set more accurately so we immediatly get the expected results?

Regards,
Jonas