Analysis – SGBox Next Generation SIEM & SOAR

Historical Search

SGBox — Wed, 12 Mar 2025 14:01:56 +0000

Historical Search

This section is used to analyze logs coming from each data source. You can see them in: LM > Analysis > Historical Search.

Logs are stored in a database, when you need to search logs and you can use operator like “AND”, “OR” and “NOT” to filter the search results.
You can choose the host/asset from which you want to extract logs and set a time range. When “case sensitive” is active a check is made in the search bar of the characters, upper and lower case, that are entered.

Special characters (wildcards) can be used in requests like in the SQL language.
In particular, the character ‘%’ represents an arbitrary number of characters while the character ‘_’ represents a single character. For this reason the string “Beatrice” can be represented as “Bea%c_”

Class/Pattern Analysis

SGBox — Mon, 13 May 2024 07:56:39 +0000

The Class/Pattern Analysis panel allows you to perform a specific analysis on classes and hosts.

Main Page

This page serves the purpose of displaying in various significant ways. Firstly, at the top of the page, you can select a Time interval to load hosts and classes based on a specific time period. You can conduct your searches using the Classes section and the Host section to filter the different events.

First Analysis

First, you have to select one or more classes/hosts, in this case I chose two classes. The system will then load the Event Section, and the Hosts Section will be updated, along with the graph.
The Event Section displays all the involved patterns and hosts (impacted hosts). At this point, the user can specify a time interval by zooming in on the graph. To complete the configuration the user needs to select up to five patterns for analysis.

The following image represents a complete configuration:

I’ve chosen a time period using the graph (1), data has been loaded. After selecting the two patterns (2), The SGBox Live Button has been enabled. Everything is ready to start an SGBox Live analysis.

SGBox Live

The Time Interval (1) and the Graph have been updated based on previously selected time period. The Show Detail Button (2) replaces the Aggregated Data view with the Details view to provide more in-depth information about the events.

The icon (3) adjusts the height and overlays the graph.

The Aggregated Data view consist of parameters tables ordered by count. Parameters can be used to further data filtering, and the graph provides information about match per minute. The remains dynamic, allowing the user to resize the time interval as often as desidered.

As you can see, after selecting parameters (1) and choosing the time period (2), data has been reloaded. The Aggregated data view now displays the matches that occurred during that time. If the user wants more information about specific value parameters, they can right-click and perform various actions.

Search this value as…

SEARCH THIS VALUE AS… After selecting the desidered parameters, SGBox will generate a dashboard that searches for the value taken into account for all the selected patterns. The user will receive a view similar to this.

WHOIS

WHOIS is a query and response protocol that is used for querying databases that store an internet resource’s registered users or assignees. These resources include domain names, IP Address blocks and autonomous system.

Map

MAP locates one or more hosts on a world map.

Parameter Value on Google

SGBox redirects you to a Google page where a query has been performed using the specified parameter value.

Export Parameter Table

SGBox saves the table as CSV file containing parameter values, their translations and their matches.

Details view

The Details view offers a comprehensive overview of the logs. Logs can be displayed together or split by patterns. Patters Section is used to filter the information. In this view, you can also zoom in on the graph to inspect a particular time period.

The Events Queries

SGBox — Wed, 13 Mar 2024 14:34:16 +0000

The Event Query is a feature introduced from the version 5 that permit to perform SQL style queries from events or logs

Query Purpose

The utilization of queries offers numerous benefits, primarily due to their exceptional speed as a result of the direct access they have to the database where the events are stored.

The primary reasons for utilizing these queries include:

To replace a LCE Rule
Generate a statistic (temporary or permanent)
Generate an event based on a specific event threshold
Generate an e-mail alert or setup other action triggered by the query

Query Basics

You can follow this KB in order to achieve the basic first-step syntax and compose the very first query: SGBox – Events Queries Basics

Also more details about query directly from logs: SGBox – Events Queries from Raw Logs

Query Options

🕑 Interval: monitor window where the query looking for (5 minutes in the example). You can find this option in the scheduling options
📅 Active Scheduling: Query scheduled will run every minute

A timeline summary of the two options combined:

Join

If you need to correlate two different events, and use different WHERE condition in the two query, you can later combine it using the “Join Query” panel.
Here you can define the two query

More details and example you can find it in this KB article:

Advanced Syntax

In a query you can use various functions, as decribed in the list below

Column alias

Every parameter, represented as a column, can be aliased with a name.

The general syntax is:
column AS aliasname
where column can be $TIMESTAMP, $HOST, $EVENT, or any $PARAM:*

The use of the alias is a best practice that permit also to pre-calculate the value in a column, to use it later in the WHERE or FINALLY statement.

Note: some column alias are forbidden to use: ts, Pattern, pid, hid

Functions and Statements

Function	Position	Example	Definition
as columnnamealias	SELECT	$PARAM:[TargetUserName] as User	define a column name (the alias can be referenced later also in WHERE and FINALLY part)
count()	SELECT, WHERE, FINALLY		Count the rows by type (must be used in addition with GROUP BY)
min(column), max(column)	SELECT, WHERE, FINALLY		When other columns grouped, select the first or last value of the column set
extract(column, ‘regex (valuetoextract) secondpart’)	SELECT, WHERE, FINALLY	extract($LINE, ‘TargetUserName=”(.*?)” TargetDomainName=’)	Extract part of the value from a column (only first occurrence)
extractAll(column, ‘regex(value1)other(value2)’)	SELECT, WHERE, FINALLY		extract multiple value by regex, and output them as Array (not string)
extract(column, ‘(?i)regex (valuetoextract) secondpart’)	SELECT, WHERE, FINALLY		Extract value with case insentive modificator (?i) at beginning of the regex
toString(column or expression)	SELECT, WHERE, FINALLY		convert a column value to a String
uniqExact(column)	SELECT, WHERE, FINALLY		count specific column
arrayStringConcat(extractAll(column, ‘regex (val1) continue (val2)’), ‘separator_char’)	SELECT		Combination of multiextract of values and join to a single string, separated by specific char or string
toStartOfHour(timestamp)	SELECT, WHERE, FINALLY		Round Timestamp to Hour. Similar to toStartOfDay, toStartOfMinute, toStartOfMonth, toStartOfYear
runningDifference(timestamp) as Difference	SELECT		Calculate difference between current and preceeding row (first row always 0)
COLUMNS(‘string or regex’)	WHERE, FINALLY		Select any column match the tring or regex
GROUP BY column1, column2, columnalias1	FINALLY		Group by similar value in the columns specified. If used all the columns must be referenced in the GROUP BY clause or use in the SELECT an aggregte function (like min(), max(), sum(), avg(), etc.)
HAVING column …	FINALLY		Similar to the filters in the where statement, can be used to filter certain values after the use of the GROUP BY keyword
column IN (‘val1’, ‘val2’)	WHERE	User IN (‘Maya’,’Tom.admin’,’Kevin’)	Filter by one or more value (specific) inside a column
column LIKE ‘%Value%’	WHERE	User LIKE ‘%user%’	Filter by value contained in column
column LIKE ‘%Value’	WHERE	User LIKE ‘admin%’	Filter by value at the end of the column
column LIKE ‘Value%’	WHERE	User LIKE ‘%admin’	Filter by value at the start of the column
NOT	WHERE		Reverse a Filter
`match(mycolumn, arrayStringConcat( (SELECT groupArray(value) FROM $LIST:[regexlist]) , '\\|' ) )`	WHERE		Filter mycolumn against custom pre-built regex list
column IN (SELECT value FROM $LIST:listname)	WHERE		Syntax to use to filter values by a list
match(column, ‘myfilterregex’)	SELECT, WHERE, FINALLY	match(User, ‘admin.\|user.’)	Verify if a regex expression match a column (often used in WHERE)
multiMatchAny(column, [‘regex1’, ‘regex2’])	WHERE	multiMatchAny(User, [‘admin.*’, ‘Kevin’])	Similar to match, but can verify multiple different regex. Similar but simpler syntax can be obtained with: col1 LIKE ” OR col1 LIKE ”
LIMIT number	FINALLY		Limit set of result for number specified
LIMIT number BY column	FINALLY		Limit set of result for each value in column

Complex Example
SELECT count() as cnt,
max($TIMESTAMP) as lastlog,
sum($PARAM:[packetsize]) as totalsize,
extract($PARAM:[longmessage], 'beforetext: (\w+ mystringtocatch) ') as extractedMsg FROM () WHERE ( extractedMsg LIKE '%anytext%' OR match($PARAM:[longmessage], 'anyotherstring') OR extractedMsg IN ('fixedvalue1', 'fixedstring2') ) AND NOT totalsize > 500 FINALLY GROUP BY totalsize, extractedMsg HAVING count() > 10 ORDER BY cnt DESC, lastlog

Troubleshooting

Convert Event Queries as Report

There are two main way to generate (or schedule) a Report starting by an Event Queries

Using dashboard

The steps to follow:

Generate query (pay attention to order the result correctly with the ORDER BY directive)
Associate the event query to a new specific dashboard
Schedule the newly created dashboard as Report

Note: the report will generate only a pdf type attachment. To generate a tabular (csv) report you must use the second solution

By creating a new event

Generate query and output event as action (define event name and class)
Schedule the report starting by the newly class created

Event Queries to generate Widget in Dashboard

Some Event Queries can be used as base to fill up widget on dashboard

On dashboard, in the Add Widget Menu

Next in the new window you can manage the source Event Query and the visualization tipology

To build up the correct query syntax to match the correct type, please check the next chapter

Table

You can build any type of query to show up as table, only pay attention to the size of the single columns, as in the widget may can be limited or truncated.

Example

Pie, Cloud

Any number of columns, but the last column must be numeric (used to build up the slice of the pie).

Example

SELECT
    $EVENT as evt, count() as cnt
FROM 4 events on all hosts
FINALLY
    GROUP BY evt

SELECT
    count() as Count, $EVENT as evt, count() as cnt
FROM 4 events on all hosts
FINALLY
    GROUP BY evt

Column

First column is the value in X axis.
Other columns must be numeric value, as there are the numeric series.

Example

SELECT
    $EVENT as evt, count() as cnt
FROM 4 events on all hosts
FINALLY
    GROUP BY evt

SELECT
    $EVENT as evt, count() as cnt, count()+100 as cnt100
FROM 4 events on all hosts
FINALLY
    GROUP BY evt

Map

First column must be an IP address value.
Second must be numeric (typically count).

Example

SELECT
    $PARAM:[SourceIP] as SourceIP, count() as cnt
FROM 4 events on all hosts
FINALLY
    GROUP BY SourceIP

Timeline

First column must be a Timestamp value (datetime value).
Second is a string value used for the legend.
Last column must be a number (used for the point)

Example

SELECT
    $TIMESTAMP as timestamp, $EVENT as evt, $PARAM:[HttpStatuscode]
FROM 4 events on all hosts

SELECT
    $TIMESTAMP as timestamp, $EVENT as Evt, $PARAM:[HTTPSize] as Size, toUInt8($PARAM:[HTTPSize])+100 as avgsize
FROM 4 events on all hosts

or

SELECT
    $TIMESTAMP as ts, $PARAM:[UserName] as User, count() as cnt
FROM 1 event on all hosts
FINALLY
    GROUP by ts,User

Text (Notes)

Fixed value in a row and a column.

Example

SELECT
    'test' as text
FROM all events on 127.0.0.1

SELECT
    count() as count
FROM 4 events on all hosts

Logs Queries

SGBox — Fri, 20 Jan 2023 08:18:14 +0000

Configure query on SGBox logs

This article explain how to configure the Log Queries functionality, that allows you to obtain any data on SGBox logs. This queries can use to send alerts, create events or run a Playbook.

Requirements:

SGBox version 5.5.4

From SGBox menu, go to LM> Analysis > Events Queries and select New Query and select Logs
Use SQL syntax to write query sections:

SELECT: you can use placeholders $TIMESTAMP, $HOST, $LINE.
FROM: you to select hosts on which to perform the query.
WHERE: you can filter the value $LINE.
FINALLY: additional information to complete the query like GROUP or LIMIT

You can now SAVE or TEST your query. Here the result:

Multiclass Analysis

SGBox — Mon, 13 Jun 2022 09:17:51 +0000

Multiclass Analysis

The Multiclass Analysis is usefull when you need to show a subset of the collected information. In this tool you can use regex to filter the different information. Following the release of version 6.0.0 please go to the link: https://www.sgbox.eu/en/knowledge-base/the-custom-report-panel-functionalities-and-usage/

Requirements:

SGBox Version 4.2.1.

Examples:

You need show all the user that starts with admin_
You need to exclude temporary files
You need to filter specific events or categories

After the information are collected and shown in Class/Pattern Analysis, you can go on LM > Configuration > Multi-class Analysis.

Select the interested Classes, hosts, Patterns and at the end the apply your filter:

in the previous example we have:

Filtered the HttpURL that ends with / in order to identify the page name
Excluded all the HTTPUser-agent that have the word bot or crawler

You can save your search as Template or produce a report directly from here.

You can also create a dashboard on the filtered values: from SCM > Dashboard > Dashboard. Select Dashboard > Create New Dashboard > New Widget then Multiclass Analysis from the provided menu.

Select the saved Template to create the dashboard:

Risk Analysis

SGBox — Thu, 09 Jun 2022 09:02:20 +0000

Risk Analysis

The Risk Analysis is different way to show the information collected by the different hosts. Using this view is possible to identify witch hosts, assets, networks, are critical than others based on the events happened on the different hosts.

Requirements:

SGBox Version 4.2.1.

You can define a specific score (from 0 to 10) on each event you recognize in SGBox from LM > Configuration > Events families.
Here you can find Families and Subfamilies:

Families: a group that contains different subfamilies.
Subfamilies: a group that contains same events.

You can use the pre configured or you can create your own Families or Subfamilies and assign a specif score. As you can see below Logon successful, Logoff and Logon failed belong to Authentication family. Logon Successful and Logoff have a score of 1. Logon fail has a score of 3. So it means the Logon fail is more critical that a Logon successful.

Example:

The host A receives 1 Logon OK, The host B receives 3 Logon fails.
The host A belongs to asset A & network A. The host B belongs to asset B & network B.

The host B is more critical than the Host A, the asset B is more critical than the asset A, the network B is more critical than the network A, based on the events occurred.
The score assigned to the Subfamily is not the final score, is just a level of criticity. Other mathematical operation has been made by SGBox in order to determinate the Critical level.

You can also visualize the information obtained in a Risk Analysis dashboard.
From SCM > Dashboard > Dashboard. Select Dashboard > Create New Dashboard > New Widget then Risk Analysis from the provided menu.

The Events Queries (examples)

SGBox — Tue, 25 May 2021 09:59:04 +0000

Examples of queries on SGBox events

This article explain how to configure the Events Queries functionality, that allows you to obtain any data on any event from SGBox. This queries can later be shown in a dashboard with different graphs.

Requirements:

SGBox version 5.3.1

From SGBox menu, go to LM> Analysis > Events Queries and select New Query
Use SQL syntax to write query sections:

SELECT: you can use placeholders $TIMESTAMP, $HOST, $EVENT, $PARAM:[parameter].
FROM: you to select hosts and events on which to perform the query.
WHERE: you can filter some values.
FINALLY: additional information to compleate the query like GROUP or LIMIT

You can also JOIN two queries to extract information.

Simple query - Extracts how many times each user did log on the selected host, and from which IP.

SELECT: $PARAM:[UserName], $PARAM:[SourceIP], count() as count

FINALLY: group by $PARAM:[UserName],$PARAM:[SourceIP]

Click on TEST to run your query.

After finished you can SAVE your query and produce a dashboard.

Simple query with action - SGBox execute an action avery time a user fail logon more than 5 times.

SELECT: $PARAM:[SourceIP] as SourceIP, count() as count

FROM: [UNIX] Logon fail via SSH on all hosts

FINALLY: group by SourceIP having count >= 5

After configured your query you can select Show scheduling options and choose TIMEINTERVAL and the ACTIONS

TIMEINTERVAL: the period of time (in minutes) where the events occur. If we choose 1 the in the previous example it means: 5 unix logon fail in 1 minutes
ACTION: What the system do if this query is verified: send an email, generate an event, add a parameter to a list

Send an email

Generate an event
Remember that you need to map the SQL variables with a specific SGBox parameter.

Add parameter to a list
Remember that you need to specify a list and the parameter you want to add to the list.

Join query - Joins UNIX logon and logoff events to extract user sessions

Configure the fist query (Q1) on Unix logon

SELECT: $TIMESTAMP, $HOST,$PARAM:[UserName], $PARAM:[PIDLogon]

FROM: [UNIX] Logon SSH on 10.250.2.20

Switch on Join query and configure the second query query (Q2) on Unix logoff

SELECT: $TIMESTAMP, $HOST,$PARAM:[UserName], $PARAM:[PIDLogon]

FROM: [UNIX] Logoff SSH on 10.250.2.20

In this example, in each of the two queries, we use $TIMESTAMP, $HOST and $PARAM placeholders to extract the fields of interest from logon and logoff events.

Then, in the ON section, we use SQL JOIN…ON syntax to say that we want logon events and logoff events to be on the same host, from the same user and the same logonPID – that’s a session). Also, we use SQL syntax in the SELECT session, to display the fields of interest from the events, and add a dateDiff sql function to display session duration.

Q1 JOIN Q2: Q1.$PARAM:[Username], Q1.$HOST, Q1.$TIMESTAMP as logon, Q2.$TIMESTAMP as logoff, dateDiff('second',Q1.$TIMESTAMP, Q2.$TIMESTAMP) as duration

ON: Q1.$PARAM:[PIDLogon] = Q2.$PARAM:[PIDLogon] AND Q1.$PARAM:[UserName] = Q2.$PARAM:[UserName]

Click on TEST to show the result. If it’s ok you can SAVE your query.