Schedule endpoint queries

InsightIDR provides you the ability to search for and document specific malicious behavior using scheduled endpoint queries. Endpoint queries allow you to search selected assets to detect suspicious behavior. You can set the query schedule for daily, weekly, or monthly, or you can set a custom time range.

By using endpoint queries, you can discover more context for your investigations by narrowing down your focus to items such as firewalls and DNS servers. The queries pull information from the data about processes that are running, registry keys, or installed services to give you a better understanding of what is occurring on the endpoints in question.

To schedule an endpoint query:

  1. Navigate to Investigations from the left menu of InsightIDR.
  2. Click Schedule Endpoint Queries. A table of all past and running endpoint queries displays. You can select the columns to sort and organize them.
  3. Click Create Schedule.
  4. Enter a name for the schedule.
  5. Enter the endpoints to include. A list displays after you type in a few characters in the Endpoints field.
    • Optionally, select Create an Endpoint Group and configure those separate details.
  6. From the Frequency dropdown menu, select how frequently you want the endpoint query to run.
  7. In the Schedule Time field, enter the time that you want the endpoint query to run, using HH:MM:SS format.
  8. Select a query from the Endpoint Queries dropdown menu.
  9. Select the parameters that you want to use in the endpoint query.
  10. Click Save. The scheduled endpoint query returns results based on the parameters you selected.

Manage scheduled endpoint queries

From the Scheduled Endpoint Queries table, you can resume, stop, edit, or delete an endpoint query schedule:

  • Click the Stop icon to stop an endpoint query, and the Resume icon to resume the endpoint query.
  • Click the Pencil icon to edit a scheduled endpoint query.
  • Click the Trash icon to delete a scheduled endpoint query.

Understand the types of endpoint queries

You can select from a number of endpoint queries when creating a schedule:

ARP Cache

This query does not accept parameters.

Current Process

This query retrieves these processes currently running on the selected endpoint:

  • PID priority
  • User info
  • Handles, including:
    • Directory handles
    • Token handles
    • Process handles
    • Thread handles
    • Event handles
    • Mutant handles
    • Semaphore handles
    • Window station handles
    • Desktop handles
    • File handles
    • Section handles
    • Key handles
    • ALPC handles
    • All handles
  • Modules
  • Signature check
  • TCP:
    • TCP over IPV4
    • TCP over IPV6
  • UDP:
    • UDP over IPV4
    • UDP over IPV6

Terminology for this query:

  • User info - This parameter displays who the owner of the process is and additional account information. A handle is a descriptor that a process opens to modify or access a resource (it is a reference to that resource). For example, if the process opens a registry key, it has a key handle to it. In addition, it could also correspond to several other opened kernel objects by processes like mutants, semaphores, and threads.
  • Modules - A module, in this case, is a dynamic library the process has loaded or the name of the executable.
  • Mutant - A mutant is another name for a mutex, formally known as a mutual exclusion. It ensures that two threads cannot access a shared resource at the same time. Typically, malware creates named mutexes that we can look for to show commonality between malware families.
  • Semaphore - A semaphore ensures that only so many threads can access a given resource at once. To use a restaurant analogy, only 50 people are allowed in the restaurant at a time. After that, no one may enter until someone else leaves. In other words, a maximum of 50 people are allowed in at any time.
  • Section - A section is a chunk of memory that can be shared with other processes or mapped to a file.
  • Advanced Local Procedure Call (ALPC) - Processes can have Advanced Local Procedure Call (ALPC) ports to communicate to various subsystems or processes. You can think of this as a local Remote Procedure Call (RPC) mechanism.

When choosing this endpoint query:

  1. Enter the process ID (PID) in the PID field.
  2. Enter the parent PID in the Parent PID field.
  3. Select the appropriate parameters.
  4. Click the Save button.
Installed Service

This query retrieves information about installed services. The query parameters are signature check, allow INET SIG, and security info.

Terminology for this query:

  • Signature check - If a binary/DLL is signed, InsightIDR will make sure that it is a valid signature. For Windows, if provided DLLs and exes are signed by Microsoft, the output reflects this.
  • Allow INET SIG - This job enables or disables the option to use the network to verify signatures. If this job is disabled, InsightIDR only uses the local cache for revocation checking.
  • Security Info - This is a technical flag geared for Active Response and Incident Response. It enables InsightIDR to see all access and owner info for a given service.
Directory Entry

This query retrieves information about specified directories. The parameters are path, directory depth, maximum filed size, and minimum field size.

To select this endpoint query, complete the following steps:

  1. Enter the directory path in the Path field. Enter -1 to search all directories.
  2. Enter the directory depth in the Directory depth field. Enter -1 to search all directories.
  3. Enter the maximum file size (in megabytes) in the Maximum File Size (MB) field.
  4. Enter the minimum file size (in megabytes) in the Minimum File Size (MB) field.
  5. Select the Calculate MD5 Hashes checkbox if you need to calculate MD5 hashes.
  6. Select the Calculate SHA-1 Hashes checkbox if you need to calculate SHA-1 hashes.
  7. Click the Save button to save the changes.
DNS Cache

This query returns the local DNS cache and LOCAL A/CNAME record resolution if a resolver service is running.

This query is hardcoded and never makes any outbound requests to resolve entries. This query does not accept parameters.

Network Connection

This query returns network connection information about the protocol and family version. The query parameters are all network info, TCP over IPV4, TCP over IPV6, UDP over IPV4, and UDP over IPV6.

Registry Key

This query parses specified registry hives for keys. When the agent is installed as a system service, HKEY_CURRENT_USER (HKCU) reflects this. If a user wants to look at a user specific key within the user’s hive, they need to root their queries from HKU/<user-sid> and not HKCU. The reason for this is HKCU is simply a pointer, in other words a symlink, to who is accessing the registry and in our case, the agent, as system. This means HKCU is actually pointing to HKU/<system-sid> and not the user who is logged in. This query also supports regex within key paths so users don’t need to know the exact key path names.

The parameters for this query are:

  • Registry keys
  • Search HKEY_CLASSES_ROOT
  • Search HKEY_CURRENT_USER
  • Search HKEY_LOCAL_MACHINE
  • Search HKEY_LOCAL_MACHINE
  • Search HKEY_USERS
  • Search HKEY_CURRENT_CONFIG
  • Recursive depth
  • Persistent

To select this endpoint query, complete the following steps:

  1. Enter the registry keys in the Registry Keys field.
  2. Select the appropriate Search HKEY parameter checkboxes.
  3. Enter the recursion depth in the Recursion Depth field. Enter -1 to search all.
    • For example, the Registry keys format would be HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\.
  4. If needed, select the Persistent checkbox.
Scheduled Task

This query retrieves all scheduled tasks on an asset. This query does not accept parameters.

User Session

This query enumerates all of the system sessions on an asset. The query parameters are active connections and remote connections.

For Windows Vista - Windows Server 2008 (and greater), users see only services in session 0, then users will show up in subsequent sessions. This is normal behavior and was implemented by Microsoft as a security fix, called session 0 isolation.