Session Analysis

The Analysis menu contains analytic tools that leverage system resources enabling you to view and search specific attributes associated with the TCP sessions and gauge high risks. These tools appear as individual tabs namely Sessions, Threats, Files, C2, Malware Events, RetroHunt Events, and Manual Scan as highlighted in the following screen. The Manual Scan page provides an interface for uploading files and raw traffic captures (PCAPS) that are processed by internal and/or any third-party tools configured.

The left pane of each tool has two session search interfaces namely Quick Search and Advanced Search. You can click either of them to toggle between the searches and locate sessions with their basic details on the right pane. You can further refine your searches by specifying a time range for them.

Quick search allows you to search session data instantly by typing simple search terms or text related to the sessions in the search box. This is the default search mode enabled for all Analysis pages.

  1. For a selected page, type the text related to the session in the search box (such as the source IP address, destinations IP address, IP subnets, hashes of the session and so on).
  2. Click on one of the numbers below the text box (that appears as you type the search text) to specify the maximum number of results that must be displayed in the right pane.

Note: Maximum number of session results that can be specified is 1000.

  1. Click Search. The basic session details matching your specified columns and criteria are displayed in the right pane in a tabular form.
  2. Click View corresponding to a session to find its detailed analysis report. For more information, refer the Viewing Detailed Session Reports section.

Note: For information on the quick search rules that must be used for each Analysis page, refer to their corresponding sections in the guide.

Advanced search enables you to refine your searches by selecting the in-built columns (related to the sessions) and specifying their respective criteria. For instance, where applicable, users can search for files with a specific MD5 or just the first few characters. This is often used in environments where message digests are supplied on one network while monitoring consoles reside on another, and copying and pasting are simply not possible.

  1. For a selected page, click Advanced Search on the left pane and select a column from the drop-down menu. A second search box appears with options to add one or more criteria to the selected column.
  2. Add multiple columns and criteria to your search in any sequence using the drop-down menus.

Note: To remove individual search columns or criteria that are not required, click the corresponding button.

  1. After all the search columns and criteria are specified, click Search. The basic session details matching your specified columns and criteria are displayed in the right pane in a tabular form.
  2. Click View corresponding to a session to find its detailed analysis report. For more information, refer the Viewing Detailed Session Reports section.

Note: For information on saving, viewing, reusing and managing your advanced searches with specific columns and criteria, refer the Manage Your Advanced Searches section.

InQuest injects additional headers to support additional threat-hunting and detection capabilities.

HTTP sessions include:

  • x-inquest-request-packets - Number of request packets within the session
  • x-inquest-response-packets - Number of response packets within the session
  • x-inquest-request-bytes - Number of request bytes transferred
  • x-inquest-response-bytes - Number of response bytes transferred
  • x-inquest-request-duration - Number of seconds or session request
  • x-inquest-response-duration - Number of seconds for response request

SSL sessions include:

  • JA3 - fingerprint a SSL/TLS client connection based on fields in the Client Hello message
  • JA3S - fingerprint a SSL/TLS server connection based on fields in the Client Hello message

SMTP sessions include:

  • x-from-address - sending email address
  • x-from-domain - FQDN of sending domain
  • x-from-name - Displayed address of email sender
  • x-to-address - Recipient email address
  • x-to-domain - Recipient email domain
  • X-Received - form a list of all the servers/computers through which the message traveled in
  • X-CC-Address - Email of CC address
  • X-CC-Domain - Domain name of CC addresses
  • X-CC-Name - The displayed name of CC address
  • X-BCC-Address - Email of BCC Addresses
  • X-BCC-Domain - Domain of BCC addresses
  • X-BCC-Name - The displayed name of BCC addresses
  • x-auditid - Audit event of an SMTP session
  • x-cid - This header is needed to reference the embedded data within HTML
  • x-mailer-info - Tells you the program used to send a specific email
  • x-mailer-info-extra - Additional information from the mailer-info header
  • x-messageuid - unique identifier of this message on the mail server
  • x-mime-preamble - text between the initial MIME header block and the first boundary delimiter
  • x-rpcampaign - text after the final boundary delimiter

Time Interval

You can specify a time range for your quick or advanced searches on the left pane by selecting a Time Interval from the existing drop-down menu (up to 30 days), or by specifying the From/To date range using the calendars; in cases where you want to expand the time range for your search to more than 30 days. Clicking Search returns results matching your specified search criteria within the specified time interval.

Note: You can search for sessions by specifying just the time intervals; without using quick or advanced searches.

Session Data Export

You can download/export your session data to your system. Click the Actions drop-down menu on the top-right corner of the page and select Data Export. The Export page appears enabling you to export the session data of the selected Analysis tab (or even the data of a particular session) as an HTML page, XML, JSON, or a CSV file. The default Structure tab displays the basic structure of your sessions data. Click HTML, XML, JSON, or CSV tab and click Save As to export the session details to your system in your desired file formats.

For information on using other available tips and options on all Analysis pages, refer the Other Options in the Analysis Pages section.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Manage Your Advanced Searches
On This Page
Session AnalysisQuick SearchAdvanced SearchTime IntervalSession Data Export