Query announces the Amazon OpenSearch Service Connector in Preview!
Query’s Connector for Amazon OpenSearch Service will allow customers to submit federated searches across all of their data stored in any index. Query uses OpenSearch’s QDSL (Query Domain-Specific Language) to perform all searches allowing for incredibly specific and complex conditional searches of data.
Amazon OpenSearch Service – formerly known as Amazon Elasticsearch Service – is a managed ELK stack (Elasticsearch, Logstash, Kibana) AWS analytics service based on the OpenSearch project. OpenSearch Service allows customers to perform real-time searching, monitoring, and analysis of business, observability, and security data using a rich set of query languages, built-in machine learning (ML) and artificial intelligence (AI) capabilities, as well as integrations into the wider Amazon Web Services (AWS) ecosystem.
Security teams typically use OpenSearch Service for faster, real-time, log analytics of important security-relevant data sources such as flow logs, authentication logs, EDR, vulnerability management, CSPM, and several other relevant use cases. OpenSearch Service boasts a wide range of ingestion capabilities including “Zero ETL” connectors into popular services such as Amazon DocumentDB (a managed document NoSQL database) and data lakes and data lakehouses built atop Amazon S3.
Additionally, OpenSearch Service has a wide range of built-in security capabilities including Role-based Access Control (RBAC), Fine-grained Access Control (FGAC), encryption in-transit and at-rest, as well as a wider variety of authentication protocols and integration with AWS IAM and Amazon Cognito. Finally, OpenSearch Service can be used as a vector store for Retrieval Augmented Generation (RAG) workloads as part of a wider AI strategy.
Query’s Connector for Amazon OpenSearch Service will utilize minimum necessary AWS IAM Roles with External IDs and the official Python SDK for OpenSearch to allow federated searches across all of their data stored in any index. Query uses OpenSearch’s QDSL (Query Domain-Specific Language) to perform all searches.
The Query Connector automatically discovers the schema of any given Index and using our no-code Configure Schema workflow, you can map any index into an appropriate Query Data Model (based on the Open Cybersecurity Schema Framework) Event Class allowing customers to submit specific queries expressed in QDM/OCSF terminology without having to write any QDSL. Query handles the pagination, query translation, query optimization, parallelization, and normalization of all federated searches so that customers can fulfill complex query plans against data stored in Amazon OpenSearch Service alongside dozens of other Connectors!
The Query Connector will respect index-wide and domain-wide configurations such as avoiding expensive queries such as those that use fuzzy matching, prefix searches, and will attempt to use the best option of full-text and term-level queries. Query never uses expensive JOIN searches, instead opting to parallelize and collate the results of search based on customer mapped data points.
For instance, customers can store their security logging data and vulnerability management data as documents within specific OpenSearch Service indices. Customers use Configure Schema to map these to appropriate QDM/OCSF Event Classes such as HTTP Activity, SSH Activity, Web Resources Activity, and Vulnerability Findings. Customers then map specific search entities that can map easy-to-understand data points such as IP Addresses, Account Names, Group IDs, Resource IDs, CVEs and CWEs. Using Query Federated Search, you never have to log back into OpenSearch Service again except to utilize the custom Dashboarding and Alerting.
For incident responders, investigators, threat hunters, security architects, IT audit, IT governance, and other personas – Query Federated Search provides a quick and easy way to glean important information from OpenSearch Service without needing to become a QDSL expert.
For more information, keep an eye out on our Product Documentation or reach out to our sales team if you would like to preview the Connector ahead of time!
