Dynatrace Security Investigator is built to speed up evidence-driven investigations on the data in Grail. Use-cases like incident response, root cause analysis or threat hunting are what we’re focusing on and where we strive for excelence.

We are solving the problem of Time and Answers: we want to remove manual repetitive tasks from your investigations and provide fast access to the raw data you have ingested to Grail. With this post I’ll introduce the five latest features that you probably haven’t discovered yet when using Security Investigator.

1. Detailed insights to your data

After you’ve fetched your data from Grail, you will see the data in a structured way in the results table with all its respective columns. The amount of columns might be quite large, specially when fetching events, which has different fields available. These results could contain tens or even hundreds of columns.

 

Record details

To speed up viewing these events without the need to horizontally scroll through all the columns, you can simply double-click on the record in the results table to open the record details view that will “rotate” the horisontal log record into a vertical table view.

All the complex data types like records and arrays are expandable and can be viewed on a separate row. When right-clicking on the elements, you can add filter commands to your DQL query with the respective sub-element value.

 

You can navigate through the records using either the arrow keys on your keyboard or use the arrow buttons at the top of the record details.

Field details

If you want to see the raw content of the log line (including the non-printables in a representable way), you can right-click on value in the results table and choose “view field details”. This will open up a modal that contain will display all the spaces, tabs and new-lines as you would see them in your code editor on in the log file to speed up understanding the data. This is specially relevant when analysing multiline logs like java stack traces.

The detailed view in Security Investigator also recognises popular formats like JSON and formats them according to their structure to simplify understanding the events content and finding sub-elements from JSON.

As with record details, you can navigate through the fields in different records using either the arrow keys on your keyboard or use the arrow buttons at the top of the record details.

 

Visualizing results with charts

The type of data that is being fetched from Grail is automatically evaluated and if it can be represented visually, it will be shown as a chart. For example, fetching metric data from Grail will be shown as a line chart automatically.

To view multiline records in Security Investigator, open the column menu by clicking on the column header and choose “multiline mode”

 

3. Filtering on multiple values from a column

As you know, Security Investigator offers a variety of filtering options, depending on the type of the column. For example, right-clicking on a timestamp value in the results table enables you to quickly add a range filter to your DQL query based on the timestamps' value.

Additionally, you can also create filters to your DQL queries from multiple values. You can either:

• select the range of values by holding down the shift key and choosing the first and last value in the column or

• select individual values from the column while holding the Ctrl (or cmd) key

Right-clicking on the selected values will offer a possibility to add a filter command to the DQL query with the unique values from the selection. The type of the field is taken into consideration. Meaning, that when adding a filter from an IpAddress field, the function ipIn is being used instead of in, which applies for strings.

 

4. Accessing fetched data faster

Additionally to the endless ways to create filters and enhance your query, Security Investigator offers other ways to operationalize your query results. By right-clicking on the record and choosing Copy, you can discover a multitude of ways to use the results besides just plain-text copying as most of the tools provide. You can copy either a single record or multiselect records and copy them all at once!

Copy as DQL value

The option to copy as DQL value prepares the values in a way to be used directly in your DQL statements, being it a filter, a fieldsAdd command or something else. The casting functions are applied automatically when copying the data to speed up query creation.

 

Copy record as DQL data

As you probably know, DQL has a data command, that is intended for fetching the data that you have defined in the query from Grail as a sample result. If you’re familiar with databases, consider a select 1 from dual for Oracle or just select 1; in case of mysql or postgres. It is intended to test and document query scenarios based on a small, exemplary dataset.

Security Investigator enables you to copy your results as data records with their respective types and definitions and are ready to be fetched as mocked data! If you have found your meaningful record(s) in the results, just copy the record(s) as DQL data and paste it in Slack to your peers, fetch the data to analyse the subset of the results further or just persist the data command for demoing purposes in your query tree!

Copy record as JSON data

Similarly to copying record as DQL data you can copy the selected records as JSON objects. The JSON-structured data can then be easily used in third-party systems or custom python scripts as inputs or for further analysis.

 

 

What next?

 

These are just the few of the awesome features in Security Investigator. To read more about our features you can read more documentation page. If you want to try out these features yourself and discover all the other cool stuff we have to speed up your investigations, use Dynatrace Playground for free and give Security Investigator a try!