XDR Investigate Tab: Advanced Telemetry Querying and Analysis

The Investigate tab in Hexnode XDR serves as an advanced querying workspace for endpoint telemetry. It enables administrators to filter, search, and correlate data to analyze endpoint behavior, detect suspicious patterns, and trace security-relevant events.

This environment is critical for examining Indicators of Compromise (IOCs), validating the presence of suspicious processes, and tracking endpoint communications with malicious domains or IP addresses.

Definition: Hexnode XDR Query

A query is a defined set of conditional filters used to search across endpoint, process, and network telemetry. Well-constructed queries allow administrators to uncover critical insights and rapidly isolate suspicious behavior during an investigation.

Investigation Capabilities (Key Questions Answered)

The Investigate feature empowers administrators to answer critical security questions, including:

• Which endpoints exhibit activity related to a specific IOC?
• Has a specific event or behavior occurred on other endpoints?
• Which endpoint user accounts were involved during an incident?
• Are unusual processes, connections, or activities occurring across multiple endpoints?
• Did an endpoint interact with suspicious files, domains, or IP addresses?
• Has a specific process or executable appeared elsewhere in the environment?
• Are there repeated patterns indicating lateral movement or privilege misuse?
• What is the organizational blast radius (impact scope) of a detection?

Executing a Search Query

To initiate an investigation, navigate to the Investigate tab. Use the Search Query builder to define the conditions that will filter your events.

Step 1: Select a Time Range

Establish the investigation window to limit the search scope to relevant historical or recent activity.

Step 2: Define the Field Category

Clicking inside the search bar reveals predefined field suggestions organized by category to ensure accurate telemetry targeting:

• Process: Details regarding running or newly created processes.
• File: Events related to file creation, modification, or access.
• Authentication: Logon, logoff, and credential-related activity.
• Host: Endpoint attributes (hostname, OS details, hardware identifiers).
• Script: Script execution events (e.g., PowerShell, command-line).
• Registry: Registry modifications and configuration changes.
• WMI: Windows Management Instrumentation events (often linked to system automation or lateral movement).
• Network: Network connections, IP communications, and DNS activity.

Step 3: Choose a Comparator

Define how the selected field value should be matched. Available comparators include:

• Equal to
• Not equal to
• Contains / Does not contain
• Begins with / Ends with
• Is empty / Is not empty

Step 4: Input the Value & Apply Operators

Enter the target value to complete the condition. This creates a query bubble (a single searchable criterion, e.g., ProcessName contains powershell.exe).

• Individual query bubbles can be edited or deleted.
• For multi-condition searches, connect bubbles using logical operators:
  • AND: The event must match all connected conditions.
  • OR: The event can match any of the connected conditions.

Step 5: Execute

Click Run Query. The system processes the defined conditions and returns only matching events.

Analyzing Query Results

Query results populate in a data table directly beneath the search bar. The system displays the total number of matched endpoints or events at the top of the table. If no results are found, verify your spelling (queries are case-sensitive) or expand the time range.

Result Table Data Fields:

• Time: The exact timestamp of the event, used to reconstruct incident timelines.
• Event: The specific type of recorded activity (e.g., Process Creation, File Load, Network Connection).
• Endpoint: The specific system where the event occurred.
• Username: The logged-in user account associated with the event.
• Process Name: The executable involved in or triggering the event.
• Attributes: Deep, event-specific technical metadata (e.g., process ID, thread ID, executable path, parent process). This field dynamically changes based on the event type and is critical for precise forensic tracing.

Exporting Results:

Use the Export button to download the entire result dataset in CSV, XLSX, or PDF formats for evidence collection, audits, or team sharing.

Managing Queries

Once a query is built, the Actions menu becomes available, providing two workflow optimizations:

• Save Query: Stores the query logic with a custom name and optional description for recurring checks or repeated IOC lookups.
• Share Query: Exports the query structure itself (not the event results) in XLSX, CSV, or PDF format to facilitate documentation or technician hand-offs.

Saved Queries Section:

All stored queries are housed here, displaying their name, description, and query logic. Available actions include:

• Add: Loads the saved query back into the active search bar.
• Delete: Permanently removes the saved query from the system.

Query Building Best Practices