Aman Bhardwajโ€™s Post

View profile for Aman Bhardwaj, graphic
Aman Bhardwaj

Senior Software Engineer at Query | CyberSecurity | I love building Software Stuff

๐๐š๐ซ๐ญ-๐Ÿ: ๐๐ฎ๐ž๐ซ๐ฒ๐ข๐ง๐  ๐ƒ๐ข๐ฌ๐ฉ๐š๐ซ๐š๐ญ๐ž ๐ƒ๐š๐ญ๐š ๐ข๐ง ๐’๐ฉ๐ฅ๐ฎ๐ง๐ค For the last couple of months, we have been working on the newest release of the Query Federated Search App for Splunk. I wanted to write this educational series as a way to demonstrate the power of what we have been building and why I find importance in the work. SOC teams should pay particular attention. The Query Splunk App enables rapid searching of cybersecurity data stored in various cloud storages, data lakes and SaaS environments other than Splunk itself, such as Amazon S3, Microsoft Defender for Endpoint, and Google BigQuery etc. To know more about the supported data sources, check out our official documentation. This post is focussed on the basic syntax needed to conduct searches across different sources via the Query platform on the Splunk dashboard. To utilize the Query App in Splunk, prepend your syntax with `| queryai`, followed by the `search` command parameter that specifies the search criteria. For example: `| ๐ช๐ฎ๐ž๐ซ๐ฒ๐š๐ข ๐ฌ๐ž๐š๐ซ๐œ๐ก="<๐Ÿ๐ข๐ž๐ฅ๐> = <๐ฏ๐š๐ฅ๐ฎ๐ž>"`. There are more operators available besides equality.ย  1๏ธโƒฃ EndsWith: <field> = *<value> 2๏ธโƒฃ StartsWith: <field> = <value>* 3๏ธโƒฃ Contains: <field> = *<value>* Searching for a value that contains spaces, requires us include the value in quotes Example: | ๐ช๐ฎ๐ž๐ซ๐ฒ๐š๐ข ๐ฌ๐ž๐š๐ซ๐œ๐ก=โ€œ<๐Ÿ๐ข๐ž๐ฅ๐> = โ€˜<๐š ๐ฌ๐ž๐ง๐ญ๐ž๐ง๐œ๐ž ๐จ๐ซ ๐š ๐๐ž๐ฌ๐œ๐ซ๐ข๐ฉ๐ญ๐ข๐จ๐ง>โ€™โ€ Additionally, `| queryai` command takes another optional parameter called `platforms` which accepts a CSV string. This allows you to condense your search to specific platforms of your choice. A complete example of that would be: | ๐ช๐ฎ๐ž๐ซ๐ฒ๐š๐ข ๐ฌ๐ž๐š๐ซ๐œ๐ก=โ€œ<๐Ÿ๐ข๐ž๐ฅ๐> = <๐ฏ๐š๐ฅ๐ฎ๐ž>โ€ ๐ฉ๐ฅ๐š๐ญ๐Ÿ๐จ๐ซ๐ฆ๐ฌ=โ€œ๐€๐ฆ๐š๐ณ๐จ๐ง๐’๐Ÿ‘, ๐Œ๐’๐ƒ๐ž๐Ÿ๐ž๐ง๐๐ž๐ซ, ๐‰๐€๐Œ๐…โ€ Hope you got the basic idea about the syntax and there is more to be added in the next release. ๐Ÿ”ฅ Fore more details you can always read our official documentation: https://lnkd.in/g6ynu8Zn Was the post helpful?ย  What would you like to see in the future posts? Comment down below. #federatedsearch #splunk #goquery

  • No alternative text description for this image

To view or add a comment, sign in

More Relevant Posts

Aman Bhardwaj

2,010 followers

View Profile

Explore topics