Perchybana

How to use Perchybana

Now that you know what Perchybana is, it’s time to learn how to use it. You will be an expert analyst in no time!

Perchybana

This is not a step-by-step guide, but the numbers below reference the picture above.

The search bar can take strings, numeric, and boolean operators. The feature allows for dynamic searching to include/exclude values within specified fields in the final search.

Examples:

  • src_ip: 127.0.0.1 OR src_ip: 10.255.255.255\/32
  • “api.yahoo.com” AND (dest_ip: 10.10.10.2 || dest_ip: 10.10.10.3)
  • 156.154.71.10 AND !dest_ip: 172.31.3.0\/24

2 - QUICK FILTER BAR

The magnifying glasses in each cell can either add (+) or subtract (-) the value, quickly, from the viewable records. Once applied, the field/value pair will appear under the search bar. Gray background indicates the filter is including all records with that field value pair. Red background indicates the filter is excluding all records with that field value pair.

3 - FIELDS

The available fields for the given search parameters and time frame will appear in this column. The top section identifies the currently selected fields to be visible. The second section shows the additional fields that can be applied to the current view.

4 - FIELDS - OPTIONS

Specifically, we care about the “Hide Missing Fields” option. This will show fields for records that do not appear in the current search.

5 - VIEW OPTIONS

This sections allows the analyst to create, update, and open any saved views. After the creation of a view, the analyst should save the work with a specific view name.

6 - TIME FRAME

The time frame selection can either be quick, relative, or absolute. The first option, is a series of quick filtering options (ie. “Last” 15 minutes, 30 minutes, 1 hour, 12 hours, 24 hours, etc.). The second option, allows an analyst to specify a relative time frame (ie. “Last” 32 minutes, 23 hours, 8 days, etc.). The last option, is the absolute time frame. The analyst can specify the day and time down to the millisecond (ie. “2017-09-06 15:03:11.899” to “2017-09-06 15:18:11.899”).

The last option, is the absolute time frame. The analyst can specify the day and time down to the millisecond (ie. “2017-09-06 15:03:11.899” to “2017-09-06 15:18:11.899”).

7 - RECORDS

Alert, protocol, or log specific record details will be listed here. The triangle in the corner left of each record will expand the record to show all available field/value pairs.