Anatomy of an Immediate Insight Proof-of-Concept


Today’s reality for IT Security and Operations teams is there are more activities to be performed than there are hours in the day. Before evaluating any product it’s helpful to understand the scope of effort and time required to evaluate a product’s value to your organization. This document describes the typical process, and timeline, for evaluating Immediate Insight. It normally takes 60 minutes for preparation and installation. After the installation and a minimal data collection period, the system is available for users to ask questions of their data and follow the non-obvious associations across data silos.

Typical Process and Timeline


Preparation for the PoC (30 minutes)

  • Provision a VM; recommended base configuration – 8 vCPU, 32GB RAM, minimum 500GB storage.
  • Identify data sources, anything human readable (common sources include firewall logs, IDS logs, proxy logs, web server logs, application logs, packet captures – pcap, netflow).
  • Data already written to a central data store (I.E. SIEM)
  • Syslog data
  • Any data streamed over a port
  • JSON or XML data via http post
  • Drag and drop data

Installation process (30 minutes)

The basic steps to getting started:

  1. Download the Immediate Insight appliance from FireMon (contact [email protected] if you need a link).
  2. Follow the installation instructions provided by FireMon.
  3. Connect Some Data Sources.
    • Access data from a file share
    • Mount some network shares that have log files the system can follow:
    • sudo vi /etc/fstab
    • add a mount line such as:
    • //servername/sharename /media/logs cifs username=user,password=pwd 0 0
  4. /media/logs is the default mount point, already configured and ready
  5. mount it: ‘sudo mount -a’
  6. Syslog streams
    • Configure syslog data sources with Immediate Insight IP address as a destination.
    • Immediate Insight listens on port 514 (both UDP and TCP) by default.
  7. Pipe data to a TCP or UDP port
    • Immediate Insight listens on TCP port 3000 by default.
    • For data streamed on custom port, access the DataFlow interface to configure additional Immediate Insight collectors.
  8. Netflow sources
    • Configure netflow data source with Immediate Insight IP address as a destination.
    • Immediate Insight listens on TCP port 2055 by default.
  9. Drag & Drop Import
    • Any log file, packet capture (PCAP), Office documents, Outlook PST, configuration files, etc.
    • Bulk import IP reputation data (threat intelligence), CMDB info, and more via CSV:
      If necessary, you can change any path and port settings from the DataFlow interface.
  10. Confirm data is coming into the system.
    • To determine if data is coming into the system, either search for everything (leave search field blank) in the past hour, view the Dataflow collectors status screen, or use the Firehose to see the incoming data live.
  11. Download the “Situations to Watch” Pinboard from the Immediate Insight Knowledgebase.
    • Available here and upload it to Immediate Insight via the Drag & Drop Import (Import as Blob). The installed Pinboard will provide a sample of commonly used searches.

Data Collection – Let the system run for 24-48 hours, collecting data.

Explore the Data

Once data is in Immediate Insight, simply ask any questions of the data and results are returned very quickly. The following common exploration use cases can help users familiarizing themselves with the system’s capabilities and get users started in extracting actionable insights from their data to improve security and operations.

Common exploration use cases:

  1. Needle finding
    • Leave the search field blank, select the last 24 hours and run a search
    • Select the most unusual to see the events that occur most infrequently in the past 24 hours.
  2. Discovery
    • Search for terms typically associated with problem (i.e. error fail* refuse* deny denied disconnect)
    • Search for addresses of critical infrastructure (Oracle, SAP, Email, etc).
    • Combine the two and search for issues on critical infrastructure.
    • Select timeline to see event volumes over time.
    • Display entities and locations to spot anomalies
    • View the new events when compared to the previous search period.
  3. Location anomalies
    • Leave the search field blank, select the last 24 hours and run a search
    • Select location
    • Select table icon to see all locations ordered by frequency
    • Select a location to see all the associated events
  4. Data anomalies
    • Enter any search, or leave it blank, for the desired timeframe
    • Select most common
    • Select most unusual
    • The common and unusual data clusters are displayed
    • Click through any of the clusters to see a sample of event details. Click on the event detail to pivot search to isolate the cluster. Select events, location, or entities for other views into the data.
  5. New/changed
    • Leave the search field blank, select the last 24 hours and run a search
    • Select trending
    • Select compare to previous period to compare results from past 24 hours to the previous 24 hours.
    • Toggle through trending up, new, missing, etc
  6. Focused then Retrospective
    • Leave the search field blank, select the last 24 hours and run a search
    • Select timeline
    • Select a bar in the timeline to drill in
    • Pivot search on desired entity
    • Select past 7 days
  7. NOT US Locations
    • Enter NOT US in the search field, select the last 24 hours and run a search
    • Select Entities
    • Select any location, addresses, names to pivot search
    • Select + (for AND) and – (for NOT) to create more complex searches
  8. NOT denied AND CN
    • Enter NOT denied AND CN, select the last 24 hours and run a search
    • Pivot search on any internal addresses to see the associated events
    • Pivot, trending, unusual
  9. Firehose
    • Leave the search field blank, select the last 24 hours and run a search
    • Select the follow arrow and select an entity
    • Firehose view shows a live view of all events for the selected events as they happen
  10. Saving searches (bookmarks) and Pinning bookmarks to the board
    • Enter a search query and timeframe and run the search
    • Select add bookmark from the menu on the upper right side of the interface
    • Add guide and category to pin search
    • See pinned searches are displayed on the second pages of the main search screen
  11. Using tagging as an investigative tool
    • Enter a search query
    • Hover over an event of interest and select add note and enter a tag
    • Perform the same on other events of interest and enter the same tag
    • Search for the tag to display all tagged events
    • View entities, locations, trending, and unusual to spot non-obvious common denominators
  12. PCAP analysis
    • Drag and drop PCAP file or exported CSV of PCAP, select use original time for each line to import data in the timeframe of the original event.
    • Enter a tag in the drag and drop tag field to group the data.
    • Enter search query and view most unusual to highlight the less common traces
    • Select entities to see addresses and locations for the packet captures
  13. Using reputation to map data to business importance
    • Select the Reputation menu
    • Enter an address of a critical system (i.e. Oracle server)
    • Add key value pair to identify the server address as part of the Oracle critical infrastructure (for example, field = critical infrastructure; value = Oracle
    • Run a search for Oracle AND error to show all errors reported by the Oracle server.