Last updated at Mon, 28 Oct 2019 18:35:45 GMT

Sitting down with your data lake and asking it questions has never been easy. In the infosec world, there are additional layers of complexity. Users are bouncing between assets, services, and geographical locations, with each monitoring silo producing its own log files and slivers of the complete picture.

From a human perspective, distilling this data requires two unique skillsets:

  • Incident Response: Is this anomalous activity a false positive, a misconfiguration, or true malicious behavior?
  • Data Manipulation: What search query should I construct to get what I need? Do I need to build a custom rule for this, or report on this statistic?

We’ve built InsightIDR with the goal of reducing friction and complexity on both of these fronts. On the incident response side, you’re armed with a dossier of user behavior analytics across network, endpoint, and cloud services to make faster, informed decisions. You can now enjoy Visual Search, which aims to lower the level of complexity associated with writing queries and making sense of your wealth of log data.

Visual Search was first released in InsightOps, our solution for IT infrastructure monitoring and troubleshooting. It’s had a great reception, and we’re proud that it’s now a shared service also available in InsightIDR. Visual Search identifies anomalies, allows for flexible drill-downs, and helps you build queries without using the Log Entries Query Language (LEQL).

Your First Visual Search

In InsightIDR, start by heading to Log Search. You’ll notice that we’ve refreshed the look and feel—we’re continuously improving the speed and responsiveness of the search technology.

A breakdown of the updated interface:

Log Search Interface Callouts

Activate Visual Search by selecting it under the Mode dropdown. At this point, three cards will auto-populate, proactively identifying anomalies from your data. For each data set, we brainstormed with security teams, including our own, to map out interesting starter queries.

You can click on the gear to edit, copy, or remove the card. This is the same architecture as the cards in Dashboards, so the suggested queries can improve your LEQL skills and help you see your data differently.

From here, you can click into any of the bars or data points on the card to drill further. For example, for the “Group by destination_port” card, we can click on the 5666 bar. It automatically performs the search query, where(destination_port=5666).

Visual Search is a great first step in highlighting “where to look”. As each data set is enriched with user and location data, this feature really highlights the user behavior analytics core in InsightIDR. These cards wouldn’t be possible to populate from the raw log data alone. By proactively identifying anomalies tailored to each data set, and guiding you towards LEQL search strings, you can find answers while gaining skill along the way.