A URL integration provide a way to represent the bread crumbs, or query path, you take when actively investigating a service in the Navigation view. You do not need to display and edit these objects very often.
A URL integration maps between a unique ID that is automatically created each time you click on a navigation link in the Navigation view to drill into data. When the drill down completes, the URL reflects the query IDs for the current drill point. The Display Name appears in the bread crumb in the Values panel.
The URL Integration panel provides a list of queries and allows users who have the proper permissions to modify this underlying source of data and analyze the query patterns of other users of the Security Analytics system. Within the panel, you can:
- Refresh the list.
- Edit a query.
- Delete a query.
- Clear all queries in the list.
Edit a Query
- In the Security Analytics menu, click Administration > System.
- In the options panel, select URL Integration.
- Select the row in the grid and either double-click the row or click .
The Edit Query Dialog is displayed.
- Edit the Display Name and the Query, but do not leave either field blank.
- To save the changes, click Save.
Delete a Query
To remove a query from Security Analytics entirely:
- Select the query.
A dialog requests confirmation that you want to delete the query.
- Click Yes.
Clear All Queries
To clear all queries from the list:
Use a Query in a URI
URL Integration facilitates integrations with third-party products by allowing a search against the Security Analytics architecture. By using a query in a URI, you can pivot directly from any product that allows custom links, into a specific drill point in the Investigation view in Security Analytics.
The format for entering a URI using a URL-encoded query is:
http://<sa host:port>/investigation/<serviceId>/navigate/query/<encoded query>/date/<start date>/<enddate>
- <sa host: port> is the IP address or DNS, with or without a port, as appropriate (ssl or not). This designation is only needed if access is configured over a non-standard port through a proxy.
- <serviceId> is the internal Service ID in the Security Analytics instance for the service to query against. The service ID can be represented only as an integer. You can see the relevant service ID from the url when accessing the investigation view within Security Analytics. This value will change based on the service being connected to for analysis.
- <encoded query> is the URL-encoded Security Analytics query. The length of query is limited by the HTML URL limitations.
- <start date> and <end date> define the date range for the query. The format is <yyyy-mm-dd>T<hh:mm>. The start and end dates are required. Relative ranges (for example, Last Hour) are not supported in this version. All times are run as UTC.
These are query examples where the Security Analytics server is 192.168.1.10 and the serviceID is identified as 2.
All activity on 03/12/2013 between 5:00 and 6:00 AM with a hostname registered
- Custom Pivot: alias.host exists
All activity on 3/12/2013 between 5:00 and 5:10 PM with http traffic to and from IP address 10.10.10.3
- Custom Pivot: service=80 && (ip.src=10.10.10.3 || ip.dst=10.0.3.3)
- Encoded Pivot Dissected:
- service=80 => service&3D80
- ip.src=10.10.10.3 => ip%2Esrc%3D10%2E10%2E10%2E3
- ip.dst=10.10.10.3 => ip%2Esrc%3D10%2E10%2E10%2E3
Some values may not need to be encoded as part of the query. For example, commonly the IP src and dst is used for this integration point. If leveraging a third-party application for integration of this feature, it is possible to reference those without encoding applied.