XKS Workflows 2011

USA. AUS. CAN, GER. NZL p- 19 September 2011 DERIVED FRUMZJHEJEJE DATED: 20070100 BDMINTHRELTO AUS, CAN, GER, NZL DECLASSIFY ON: 20320108

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL What is a workflow? a Workflows automate queries. I One?time - Standing Every search type can be a workflow. - Same functionality and capability Follow on actions - Email alert - Download actions - Metadata summary USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. 7 'Who can submit awoia - Anyone! One owner per workflow, but using follow- on actions: - Multiple-users can be notified of results and/or sent summary information - Result table can be automatically shared - If ownership needs to be changed, a ticket can be submitted to the team. USA, AUS, CAN, GER, NZL

__Jl at ca I . Workflows can be configured to run once - i Workflows can be configured to run daily - Every hours I You can set an offset to start running at a certain hour - Download results Email results and email alerts MAILORDER results - report USA, AUS, CAN, GER, NZL

Why do I want a worktl - XKEYSCORE has a rolling buffer of data Repetitive queries - Sigdev purpose - Fingerprint and appid testing - Queries take a long time during high times - Follow on actions - Google Earth data - Statistics - Customizable write a script! USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAHXGB, I HOW etu a Two main ways - Based on the results of a recent query Simplifies the process more likely to produce the desired result! This is done by right-clicking on the result set from the desired query and selecting Create Workflow from this Search. This populates the Workflow Wizard with the same criteria that was used by the selected query. - From scratch using the Workflow Wizard Not recommended but we?ll show you anyway USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. OW do setu a QWQ - The next ten slides demonstrate how to step through the workflow wizard from scratch But if you create the workflow from an existing query result many of the steps will already be correctlv pooula':ed! Right click to get the Result Grid How Actions Vietnam menu and cheese [?My Recent Re?ll? IE 'y'iew Metadete [New Wrdew: is_0 r] #3 Help Aetiene 1' View 1' Dale?? Row Rename Query I Query Name Nurn Results Mum Detetlme Submitted 7 Query ID . by; rapt nip imlia both tlir a: Share Hewle- 3nne 51 of 51 2111 1-119- 19 1?:111 :44 by: rep_t Class I: Repupulate this Search ier Farm 132 49 of 51 20114394 El 15:38:07? MIME lCreete this Seereh 98 49 of 51 2IZI11-IZIEI-1 9 15:35:35 ww lab pin imei ne fiye ITINORKFLOWJ a 3m Both Sideg of Team: :Ier EIIZISS 54 of 5? El 03:55:57-r efehen pin imei eerreletien Amme Realms :Ier ?124 12 of 12 2011-094 8 23:55:19 Result Grid Actions Query helme- Equal 'Ll?y'L iIILliei Filter: Query heme lle-?t [qunlte- 'b'rz rapt indie Shew Full Cell yalue USA, AUS, CAN, GER, NZL

USA, AUS, CAN, GER, NZL How do il- 5 Navigation Menu Explorer My Workilows LEJ Search Classic Ii] I: MultiSearoh u] Classic res-M a Classic N-Z .5 Common Category DNI - Document Meladata Email Addresses . lil LEE yup DWrelasa Results - My Reoert Results El My PrHvious ?ssile My Ongoing ?esuls - a My Downloads 3 ?3 statistics El L'nl: Summarizdlon a 3 Testing Emmi Tagging g: Till-h F?rnr?lnr Tam-1mm l] SE USA, AUS, CAN, GER, :i weaning?? .syyitch use}? Preferences Help Welcome to the New IIKEYSCORE Hume Page! If you haye questions or bug reports please go to EKEYSCORE New GUI Forum To use the old GUI, click here HUMAN RIGHTS ACT, USSID 18 AND USSID 9 queries require a justi?cation to ensure Human Righis ea.- (HRAI, USSID 1E: and SSID El compliance. Please enter information as prompted by me query interfaoe. an audit all has been established and will be searched as part of Menwi?'i Hill Station?s response to 1y complaint brought under HRA and as part ofthe USSID la and USSID 9 process. ease note that SENSITIVE TARGETING AP PROUAL (STA) is required for HRA before submitting 1y query which includes terms speci?c to a person or company (eg name, address, identity stalls such as communications address, passportg?bank account number) who EITHER is sfined as a UK, British Dependent Territory or Second Party "person" or is located Second Party country. is also required for wildcard pulls ?oat are eritabiy going to retriye a substantial proportion of such enties wildcarding on a UK city idej. Full legal guidance is ayailable from the HRA Compliance Offioer at Menwith Hill Station. cm i: dunond Fur-Ion n. ur'. ,Jl NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL How do I setup a workflow?? .I . I . Wurk?ow Central Request Wizard IFS a 3 Please select a SEarch Type. 1 Every session collected} indexed by "standard" DNI meta-data (teifmm 1P, port; casenatatiun, application id, sigad, etc). lFull Lug IVI 1 Search Type Help 5* . Cancel 4 Prev 9 Next jut-T." USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL How do I setup a workflow: work?uw Central Request wizard II x. 0 r- 0 6- Basic Information . let be unique per user We" Findme-apfj'd_ must have a justification Query Justi?cation: Testing appid Signature . on 3 ?dditional JuSti?EatiDn: .V Miranda Number: Datetime:l1Dey 45m:anaemia-um 3am: mamas @2359 $29 Reccurring Search Elne Time Search Basic Features Help 1" Rune once over a set datetime range . Cancel ?1 Prev 9' Next USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL How do I setup a workflow Wet-knew Central Request Wizard 8 I 0 Add Search Fields Search values are by default. 8 a To OR Search Fields: Use the Multiple Field Search tab (below the input ?elds). Select all the ?elds you wish in search. To UR Search lti?elues: Type between each tralue (no quotes). See Search Value Help below for more details or salad: 3 for a description of boolean logic go in here. field to I Search Field Search Value Remove 333 K. From IP Address oe To IP Address 1.2.3.4 Attribute it From IPAddress _i To IPAddress To Port 1 :1 1 or every field, Single Field Search Multiple Field Search I Search Hattie Help Ie key Cancel ?3 Prev [3 Next ii USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL Group by option Wurkl?low Central Request Wizard DGroup :1 ita results. Group Search Fields Would you like to group omr ?elds? 0 Red to. Na Yes RetL Group By Type Table Unique Values: f: Emu 6 Hal Global Unioue ililalues: Columns to Group By Datetime: Client ID This option groups eeoh maW?rT??rE and concatenated. Username: ?ittribute Info: From 113 ?ddress: To IP Address: From Fort: To Port: Select the fields you want to group by. From Country (IP21: To Country (IF): From Cit?; (IF): 717777/?177177 TCI Cit}! (IF): 5 From Latitude 1. Ll I Cancel 4 Prev 9' Next USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL Select databases Wurk?nw Central dit que t'vH' ard . EiChoose th seareliiudataisaseswyeuuwould like to use l? TAD STAT Team EiCan use anmacljxals for multiple databases . Prepopu existing search TEE BSD DEEPDWE NEIFEIRN l? TEE TURTLERAEE [turtlerateziis_wel:i_i:ll:iji TimIJerline 5i! l? TURBULENEE at the TEE l? MHE live (TUREIEIPIJUND) l? TURTLE ALE MHE liue sly-stem [turbosle:ii:s_wel:i_dhji I- NEIFEIRN (xksvoio-nfm?j lfthis is selected, results are only returned iftheJi content still exists at 3 ts. REL (kaoip?relm?i ?I'akima Deep Dive I Ilalizims missinn system (jacknife:xs_web Elan tent must exist 1] Basil: Features Help 4 Cancel ?1 Previous 9? Next Submit USA, AUS, CAN, GER, NZL

Follo DAllows DAllows Iooa?on. SEC RETHCOMINTHREL TD USA, AUS, on Actions CAN. GER, NZL Wurk?nw Eentral Edit Request Wizard Follow-on Actions Would you like to add anyr follow on actions t? No Yes Script Script Arguments Adel lErnail i'Jilert Ema? TD: I I I 'Email mart HOWE: Return Onlir With Results Share Results: l- Share Results with users above I I I and PM An email is sent out once your workflow is completed. Setup a statement to alter your results Download your results to another location. Used to forward VolP to NUCLEON lZaneel ?1 Previous l} Next Submit content) to another USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL alert Work?ow Eentral Edit Request Wizard - Follow?on Actions - Would you like to add any follow on actions If" No 5' ??r?es Script Script Argum ente IEmail To: Email Alert IV I ROWE: Email Alert Share Regults: Download Sessions Find and Foward 1Jcip Add I Comma delimited email addresses. I HI Return only With Rue? Share Results with users above Cancel ?il Previous Next Submit This option only sends an email if you workflow has resu?s. This will make the results appear for all of the listed users USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL SQL report Wurk?nw [antral Request Wizard FDIIGW -nn Actions Would 1mu like to add any fallow on actions if? He 35' Yes Script Script Arguments Add Report i: "Type; CSV or HTML Email Te: Email Subject: Email Content: Erna? Email Attachment Attachment: ROWE: Return Only- With Results metadata a user Filer-lame: can set. Man Order Trigraph: . EQL. SELECT must be a VALID SQL FROM :l A statem ent. WHERE stow Err Ll. GZIP: Compress Centents Exa ple- SELECT casenetation, sigad FROM UTP Cam. 4 pm. "v we WHERE sigad!=? SECRETHCOMINTHREL TD USA, Aus, CAN, GER, NZL R0 BY casenOtat'O?

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL Download Results Wurk?uw Central Request Wizard Fallow?an Actions i Would you like to add any follow on actions Yes ms-cript Script ?rguments "Add I 1User ID: I I- anwnInacl SESSIONS =Ema?ll Tn: Subject: I Email Content: .RDWR: 1? Return Dn1y With Results ,lFilanarne: {Mail Order jTrigraph: HBEIP: l? Compress Contents 1Istancl To Agihts: 1' Sand Tn agility Cancel ?1 Prev Next SECRETHCOMINTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL You?re almost done! WI, Wnrk?uw [antral Request Wizard 5 - Werk?nw ReviewI This query (Find_rni_.v_appid} will search the Full Lug table in databaeem: xks-jychanml] The query will run executing every 6 hours beginning at 5:00 EST The query will execute the following search cliteria: {and} ??eld 2::me IP Address if ?eld:- {value 3-1.2 .3 .4 (I value:- and {and {field?-Tn Film-:3i ?eld:- ?value >30 if value} {If and {and {?eld hAppID ?eld:- {value :a-searchf gaogle value:- {f and Wei-knew IIll-elues I Work?ew XML . Cancel 4 Prev Subm?: - USA, AUS, CAN, GER, NZL

USA, AUS, CAN. GER, NZL Workflow Pending Tl'is' E-T run: 41' an ?inc-II II.- .--I- :i - I I aII-vll-ih-"L ..I c5" I:r11'- Welmme: Hume Central ll Search :3 Results Iagg'ng a PrBFEIen-zes Help meme Wham Men" g? Work?nm . i . ?ee: - 3 e3] Wursbe Wee Gum Name Last hilt-timed a?equ? 14:14: - 3 ?c?eele 'jthtiEeElrch El (Jessie Clara-sic El Emmnre DH Elmeurnert metedete game EErz?lreeteu Fllee State A Actions EHTTP Meir - Emene Number Extreme: ELEM Anti-elf a His Trenefer El ?hMiEeamh gale Addresses Elna: ELEM-same Newark Management El?eeml'l Wizard . 2 a,?va El D?tsu?e Elf-mf Recent Heeurte grey Heeul'te Era-1e angel-lg ?esutts -EIW me?eede 3 ?endis?es ELHII: Summariz?len :l Tagger-3 mm 1] 1 Pagall ?99539: Dhelaeinel-It-FI TD USA, AUS, CAN, GER, NZL

USA, AUS, CAN. GER, NZL Workflow Approved rn .a-J-zita-zl and Human Hutu-Its - -- 4' - - WelmmE:-_ switch uaers I Home wurlc?nw Central '1 Sl?d'l Li, Fulani; El statistics Tagging a. Preferentas Huh: :Ha?qa?nn Hen" II Watk?nws a?Eprmr I EIHDJTIE Ha: Emmi Wnrk?nw: - tn Cant I Quart Twe .. .. . .. .. ?a {Ft-mil 1.I:r -- Emm? fun?mg :quer?nbsz- amtemaLgtii} El '3 Search a??assic {jut} MuftiSearch {ELLE-aria Mk; Hamill} L, Clam; M, ?kgysarjame Imyser?amah mm?: 1333? TUE: a CD "1m" 5' {queryjuati?EHWbTESting magi; signature El Metadata Ema: Adm-?23333 {intervalh?ifntewalh Fila: ?EI?SEth??f?ffSEth m] Lag [m1 {Iggt?tjm?'l? El Adi'a?t'r {E??here? HG tam rd El :?eldh??jnif?ald: a Dmnat (value: 1.2.3.4:fualue} Tranaler I {far-Id} EEIhmrliSearch {and} El Addr?s?s fl?eld: METERS aura Harm-awe afar-Id} a :and: ?3 ?magma? :?eldt-fngerprint??ehj: UEHAdi'?t'f 3 {Hand} .3 {jwherma .3 Dwrelm El Results :Indaxaswnma {advancedz- 7 I Elm? New? I LEW {rnuting? [am-mm: . [amt - I Tagging Carmel Save??Fin Tann?nh I I Flag! ll? DE 1 I) 1 Fag! Slag. [Eliaymg a Tl 11.1: 1E: and Hunter: . TD USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL Common mistakes DFrom IP and To IP with the same value. Elln this View, terms are together. DUse Multiple Field Search Tab. Work?uw Central Request Ili'lPizeird Add Search Fields Search Values are by default. Tu DR Search Fields: Use the ivlultiple Field Search tab {below the input fields}. Select all the ?elds you wish in seard'i. Te Search Values: Type between each value (no quotes). See Search I?r'alue Help helew ?er mere details or for a description of heelean legit go to here. riwu Search Value ?11; Address es Te IP Addresb 1.2.3.4 Attribute Ime Frern IP Address Te IPAddress LIL Te Pert Remove 3 1 Single Field Search Search italue Help Cancel 4 Prev it Next USA, AUS, CAN, GER, NZL

USA, AUS, CAN. GER, NZL Common mistakes Work?ow Central Request Wizard DUsing the multiple mammal. Search Values are by default. DR F'eld break '8 up Into Use ?fe-lidulltipiesField Search tab (below the input ?elds). search <->Value To W's? ?3 3m? Type between each value (no quotes). See Search Value Help below for more details or - for a description of boolean logic go to m. separately In the . . - - Search Field Search Value Remove - Slnge fleldsea l'Ch . From IP Address 1.2.3.4 To IP Address 5.5.18 From Fort Bl] . V. I Single Field Search I Multiple Field Search Search 'ii'alue Help Cancel *1 Prev l? Next Eur-x9 USA, AUS, CAN, GER, NZL

USA, AUS, CAN. GER, NZL Common mistakes Work?uw Central Request Wizard DThis will return ALL casenotations. Add Search Fields Search Values are by default. Te EIR Search Fields: Ba Use the Multiple Field Search tab (below the input ?elds). ,5 Select all the ?elds you wish t3: search. by la but a does Tu DR Search Values: Type between each value (no quotes}. equal?b? DAII the defeated See Search Value Help below ?Jr more details or for a descriptidn ef heelean legit go to here. Seareh Field Search Value Remove values must be 222222: :2 together. Cesendlatien ld Single Field Searth I Multiple Field Search Search 1Il'elue Help 1' Cancel 4 Prev 9' Next USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS. CAN. GER, NZL Common mistakes Werk?nw Central Request Wizard If you are selecting specific SIGADs, only Search Values are by default. Te DR Search Fields: Use the Multiple Flelcl Search tab (below the Input ?elds}. have ata fro Select all the ?elds yclu wish 1le search. Te BR Search Values: 8 . Type between each value (ncr quetes). see Search yelue Help below for more details er a ueries wi return for a descripticln beelesn legic gel to here. Search Field Search Value Remove Cesenotetipn 3 big lie-walla" ti ?ll?I DLess work for the SIGAD e; system. Select the Detabese?) to query villus sites sites -NZ sites Content must exist Uncheck All Basic Features Help Cencl USA, AUS, CAN, GER, NZL

SECRETHCOMINTHRELTD USA, AUS, CAN. GER, NZL Common mistakes Wurk?ow Eentrai Request Wizard . le you select the Wm?d rnuiike to add anyiulluwun actions make sure you put a tit. valid SQL statement! ?as Fallow?an Actions Script Script Arguments Add . SQL Repnrt 1v 03in? iv 'Ema? To: Email Subject: "My Work?ow Resuits . "l 5 1: SQL statement filled in. m" i' "t Erna? Email attachment ROWE: l? Return Only With Results CO rE F?enarne: Mail Order WHERE oasenotation!=? GROUP BY oasenotation SELECT catenmtatim FROM WHERE tattigtitqtatipti! GZIP: - Cams! 4 PPM 9 Next USA, AUS, CAN, GER, NZL

USA. AUS. CAN, GER. NZL ms :3 . I xks_workflow r1 .r.nsa BUMINTHRELTO USA, AUS, CAN, GER, NZL