Skip to main content
Support Us
Documents

XKEYSCORE Helper Notes

Feb. 22, 2017

1/6
Download
Page 1 from XKEYSCORE Helper Notes
TOPSECRETSTRAP1 XKEYSCORE HELPER NOTES There are several new and updated features in this release of the XKEYSCORE Palantir helper: Summary/Histogram import of data 0 Data sourcing for XKEYSCORE queries 0 Fixes for Ul redraw bugs on query list refresh Fixes for disappearing links Summary import This feature is intended to mirror the functionality in XKEYSCORE for creating histogram grids over a query. It allows for a large dataset to be reduced down in size considerably while still maintaining useful data. As an example this is a histogram grid view over a small query in XKEYSCORE, histogrammed by From IP, To IP and To Port: Histogram Grid Page 1 of 1 .5 Clear Selection Export Displaying 1 - 39 of 39 Filter Fm IP T0 T0 Port Count E20644 IBBTB 38950 25193 53 32768 53 53 52835 47565 7?Fl?7 a CD As you can see, there are 19 entries for the top line here. In the old XKEYSCORE helper this would create 19 new events. While you still have the option of importing every row in an XKEYSCORE query as a new connection, the summary import lets you cut this down a little. Once logged in to the helper, choose the ?Summarise button: History (pg Tlmellne If; XKEYSCORE - Add?, gaph Add to Gra lmron as Query llama Statue Ouary Type llum P.r-.3u llum Datetima ?3 Classic inished 29.74 .3 013 3011-03-24 .. Wires? (New Classic inishei full_ cg BI) 12 2112 BIZ-1 1?03-32 35 13 3112 2011-01-21 Ch??s? Ciassic inian ruii_icg 37 1: :11: 2011?03?21 .. Choose new node colour (Lost) Summarise Summarize results Auto-merge links 10f6 TOP SECRET STRAP 1
TOPSECRETSTRAP1 XKEYSCORE HELPER NOTES There are several new and updated features in this release of the XKEYSCORE Palantir helper: Summary/Histogram import of data 0 Data sourcing for XKEYSCORE queries 0 Fixes for Ul redraw bugs on query list refresh Fixes for disappearing links Summary import This feature is intended to mirror the functionality in XKEYSCORE for creating histogram grids over a query. It allows for a large dataset to be reduced down in size considerably while still maintaining useful data. As an example this is a histogram grid view over a small query in XKEYSCORE, histogrammed by From IP, To IP and To Port: Histogram Grid Page 1 of 1 .5 Clear Selection Export Displaying 1 - 39 of 39 Filter Fm IP T0 T0 Port Count E20644 IBBTB 38950 25193 53 32768 53 53 52835 47565 7?Fl?7 a CD As you can see, there are 19 entries for the top line here. In the old XKEYSCORE helper this would create 19 new events. While you still have the option of importing every row in an XKEYSCORE query as a new connection, the summary import lets you cut this down a little. Once logged in to the helper, choose the ?Summarise button: History (pg Tlmellne If; XKEYSCORE - Add?, gaph Add to Gra lmron as Query llama Statue Ouary Type llum P.r-.3u llum Datetima ?3 Classic inished 29.74 .3 013 3011-03-24 .. Wires? (New Classic inishei full_ cg BI) 12 2112 BIZ-1 1?03-32 35 13 3112 2011-01-21 Ch??s? Ciassic inian ruii_icg 37 1: :11: 2011?03?21 .. Choose new node colour (Lost) Summarise Summarize results Auto-merge links 10f6 TOP SECRET STRAP 1
Page 2 from XKEYSCORE Helper Notes
TOP SECRET STRAP 1 To mirror the histogram grid performed on the data, I’ve chosen to include to_port: Note that when doing a summary import, summarisations will be done on source and destination IP in addition to any included fields. 2 of 6 TOP SECRET STRAP 1
TOP SECRET STRAP 1 To mirror the histogram grid performed on the data, I’ve chosen to include to_port: Note that when doing a summary import, summarisations will be done on source and destination IP in addition to any included fields. 2 of 6 TOP SECRET STRAP 1
Page 3 from XKEYSCORE Helper Notes
TOP SECRET STRAP 1 tn the example I removed an the other data tram the tnput worn the graph There are a tew ans to note hum the results Import . Quanhty records the number at resotts whten matched that htstogram chtena (In the case 19) This matches up the XKEYSCORE mslogram . Sessmn stze Is a sum o1 aH sesston stzes tor thus htstogrammed ptece 0f data . attows you to see the totat amount at data being sent 1mm - one IP to anothen In the case also summansed by desttnatton port . "Applicattcn" shows the ,t .t tut on for gem". summary event For exampte, contacts and ts ptcked up Dy too on connectton 1 and baron connedlon tot Ewe/as:me summansed oonnechon flr' - 1511' between and wtu Itst "too" - and "bar as aoohcattohs - Ttme metadata I5 pteserved that can vtew the first tune event occurred and the last sate TOP SECRET STRAP 1
TOP SECRET STRAP 1 tn the example I removed an the other data tram the tnput worn the graph There are a tew ans to note hum the results Import . Quanhty records the number at resotts whten matched that htstogram chtena (In the case 19) This matches up the XKEYSCORE mslogram . Sessmn stze Is a sum o1 aH sesston stzes tor thus htstogrammed ptece 0f data . attows you to see the totat amount at data being sent 1mm - one IP to anothen In the case also summansed by desttnatton port . "Applicattcn" shows the ,t .t tut on for gem". summary event For exampte, contacts and ts ptcked up Dy too on connectton 1 and baron connedlon tot Ewe/as:me summansed oonnechon flr' - 1511' between and wtu Itst "too" - and "bar as aoohcattohs - Ttme metadata I5 pteserved that can vtew the first tune event occurred and the last sate TOP SECRET STRAP 1
Page 4 from XKEYSCORE Helper Notes
TOPSECRETSTRAP1 Preferences for which fields to summarise by, whether you wish to summarise and whether you wish to automatically merge links between IP addresses and connections are saved per-user, so if you have a common histogram import then you don?t need to re-select the ?elds to histogram on every time. Data sourcing Data imported into Palantir using the updated XKEYSCORE helper now has data sourcing. There are a couple of places this can be seen, the most evident is the ?Data sources? application within Palantir. So, when you open up Data Sourcing: Search XKEYSCORE QUERY D313 Bows-e l?uae aliwring. 9 Data Raposnow Emilie; :la Evert; [?tment Manually Entered Data - Contents of XKEYSCORE QUERY XKEYSCORE QUERY- At the top level in this screenshot you can see there are three folders. The XKEYSCORE folder contains a list of the IP addresses and connection events associated with the query. Double clicking the document within this datasource opens up some metadata about the query run. 40f6 TOPSECRETSTRAP1
TOPSECRETSTRAP1 Preferences for which fields to summarise by, whether you wish to summarise and whether you wish to automatically merge links between IP addresses and connections are saved per-user, so if you have a common histogram import then you don?t need to re-select the ?elds to histogram on every time. Data sourcing Data imported into Palantir using the updated XKEYSCORE helper now has data sourcing. There are a couple of places this can be seen, the most evident is the ?Data sources? application within Palantir. So, when you open up Data Sourcing: Search XKEYSCORE QUERY D313 Bows-e l?uae aliwring. 9 Data Raposnow Emilie; :la Evert; [?tment Manually Entered Data - Contents of XKEYSCORE QUERY XKEYSCORE QUERY- At the top level in this screenshot you can see there are three folders. The XKEYSCORE folder contains a list of the IP addresses and connection events associated with the query. Double clicking the document within this datasource opens up some metadata about the query run. 40f6 TOPSECRETSTRAP1
Page 5 from XKEYSCORE Helper Notes
TOP SECRET STRAP 1 XKEYSCORE QUERY .E in 1H aim, u, Contents of XKEYSCORE QUERY -- . - mm, 50f6 TOP SECRET STRAP 1
TOP SECRET STRAP 1 XKEYSCORE QUERY .E in 1H aim, u, Contents of XKEYSCORE QUERY -- . - mm, 50f6 TOP SECRET STRAP 1
Page 6 from XKEYSCORE Helper Notes
TOP SECRET STRAP 1 This information can also be accessed via an object imported into Palantir>Jfl LI l" 5mm"! lg mm 7 31:: WW lFMIimiFw I l' us-m mm After multiple imports of XKEYSCORE data have been done within the same investigation the list of data sources also grows appropriately: Data Sources 7 Millinistrator Account 03IZ5I2011 12:01 GMT lnvesllgallon gun Erelerenoes windows help sum. 2 3- Data Manually Entered Data 7 XKEYSCORE XKEYSCORE QUERY XKEYSCORE QUERV 60f6 TOP SECRET STRAP 1
TOP SECRET STRAP 1 This information can also be accessed via an object imported into Palantir>Jfl LI l" 5mm"! lg mm 7 31:: WW lFMIimiFw I l' us-m mm After multiple imports of XKEYSCORE data have been done within the same investigation the list of data sources also grows appropriately: Data Sources 7 Millinistrator Account 03IZ5I2011 12:01 GMT lnvesllgallon gun Erelerenoes windows help sum. 2 3- Data Manually Entered Data 7 XKEYSCORE XKEYSCORE QUERY XKEYSCORE QUERV 60f6 TOP SECRET STRAP 1