Query

What it looks like when you try to shove all your data in your SIEM #SIEM #SOC #cybersecurity

Happy Fourth of July from Query! Wishing everyone a safe and stellar Independence Day! 👨🚀🚀 #fourthofjuly #teamquery

Query is Qlosed for Thursday and Friday of the Fourth of July weekend. We’ll be back next week!

𝐏𝐚𝐫𝐭-𝟏: 𝐐𝐮𝐞𝐫𝐲𝐢𝐧𝐠 𝐃𝐢𝐬𝐩𝐚𝐫𝐚𝐭𝐞 𝐃𝐚𝐭𝐚 𝐢𝐧 𝐒𝐩𝐥𝐮𝐧𝐤 For the last couple of months, we have been working on the newest release of the Query Federated Search App for Splunk. I wanted to write this educational series as a way to demonstrate the power of what we have been building and why I find importance in the work. SOC teams should pay particular attention. The Query Splunk App enables rapid searching of cybersecurity data stored in various cloud storages, data lakes and SaaS environments other than Splunk itself, such as Amazon S3, Microsoft Defender for Endpoint, and Google BigQuery etc. To know more about the supported data sources, check out our official documentation. This post is focussed on the basic syntax needed to conduct searches across different sources via the Query platform on the Splunk dashboard. To utilize the Query App in Splunk, prepend your syntax with `| queryai`, followed by the `search` command parameter that specifies the search criteria. For example: `| 𝐪𝐮𝐞𝐫𝐲𝐚𝐢 𝐬𝐞𝐚𝐫𝐜𝐡="<𝐟𝐢𝐞𝐥𝐝> = <𝐯𝐚𝐥𝐮𝐞>"`. There are more operators available besides equality.  1️⃣ EndsWith: <field> = *<value> 2️⃣ StartsWith: <field> = <value>* 3️⃣ Contains: <field> = *<value>* Searching for a value that contains spaces, requires us include the value in quotes Example: | 𝐪𝐮𝐞𝐫𝐲𝐚𝐢 𝐬𝐞𝐚𝐫𝐜𝐡=“<𝐟𝐢𝐞𝐥𝐝> = ‘<𝐚 𝐬𝐞𝐧𝐭𝐞𝐧𝐜𝐞 𝐨𝐫 𝐚 𝐝𝐞𝐬𝐜𝐫𝐢𝐩𝐭𝐢𝐨𝐧>’” Additionally, `| queryai` command takes another optional parameter called `platforms` which accepts a CSV string. This allows you to condense your search to specific platforms of your choice. A complete example of that would be: | 𝐪𝐮𝐞𝐫𝐲𝐚𝐢 𝐬𝐞𝐚𝐫𝐜𝐡=“<𝐟𝐢𝐞𝐥𝐝> = <𝐯𝐚𝐥𝐮𝐞>” 𝐩𝐥𝐚𝐭𝐟𝐨𝐫𝐦𝐬=“𝐀𝐦𝐚𝐳𝐨𝐧𝐒𝟑, 𝐌𝐒𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫, 𝐉𝐀𝐌𝐅” Hope you got the basic idea about the syntax and there is more to be added in the next release. 🔥 Fore more details you can always read our official documentation: https://lnkd.in/g6ynu8Zn Was the post helpful?  What would you like to see in the future posts? Comment down below. #federatedsearch #splunk #goquery

Hear about what data modeling for cybersecurity looks like, what is OCSF, and how its revolutionizing how we search for security data in modern day Security Operations Teams as Query CISO Neal Bridges is joined by his good friend, Query CTO Jeremy Fisher. https://hubs.li/Q02DKsL40 #secdataopscast #ocsf #cyberinsecurity

Conference season rolls on... from seafood by the Bay, to Philly Cheesesteaks, now Vegas buffets. Will you be there? #BHUSA #blackhat #CISO

SecDataOps - What is OCSF OCSF has been really upcoming and innovative as teams move towards it for their security solutions. But how many are actually familiar with it. Lets dive in!!!

🗺️ Do you know how to find your Security Data??? 🗺️ Having done multiple #SIEM deployments and working with data lakes like S3 and Snowflake, being able to get to the data is super important. Before that we have to model the data. No - not like modeling it on the catwalk...we have to map it to make it searchable. There are lots of ways to do that, but about a year ago, Amazon, Splunk and others came together to try and create a standard for security data mapping. 🚶➡️ - ((#OCSF enters the room)) Lets get together and talk about what data modeling for #cybersecurity looks like, what is OCSF, and how its revolutionizing how we search for security data in modern day Security Operations Teams, with my good friend Jeremy Fisher. Links in comments. #secdataops #secdataopscast #hacking #ciso #blueteam

Put your Amazon Route 53 DNS data to work from inside Splunk immediately. Query Federated Search App for Splunk available now at Splunkbase: https://hubs.li/Q02DpRxH0 #splunk #federatedsearch #route53