Query Overview
July 29, 2024
Query is a federated search solution for security operators, offering access, search, and insights from distributed security data without the need for centralization or dealing with complex data pipelines. It enables threat hunters, incident responders, and investigators to understand issues faster and more accurately.
Key features include Summary Insights for comprehensive analytics, a detailed Results View, flexible investigation capabilities with time and technology filters, and an Advanced Query Builder for deep data searches.
Query quickly connects to distributed data sources, and can be used directly in the Query platform, or via a Splunk App found in Splunkbase.
Query - It’s your data. Use it.
00;00;00;04 - 00;00;38;01
Query is federated search for security data. Query’s SaaS solution empowers security practitioners to access, search, and draw insights from distributed security data. No need to centralize your data in high cost storage, create complicated data pipelines, or struggle with multi-tool pivoting. Just use your data for threat hunting, incident response, or other security investigations wherever that data lives. Let me show you some of the key features.
00;00;38;03 - 00;01;11;12
Summary insights is the landing spot for the practitioner, and provides a comprehensive view to key analytical metrics across your security stack. For example, in our findings category, we will see all of the security findings, detections, alerts, and incidents from across all our integrated technologies. Identifying indicators that you wish to search on is easy and allows the practitioner to quickly investigate points of interest.
00;01;11;14 - 00;01;33;19
Our results view provides you both a detailed and summary view of the data you are searching. You can quickly see how many search results have been returned and which tools had search results. You can quickly filter by clicking on anything in the summary pane.
00;01;33;21 - 00;02;12;22
Query allows the analysts maximum flexibility in conducting an investigation, starting broad with the ability to filter down the search. With a full awareness of time constraints and already normalized to UTC time, you can select any window of time needed for an investigation. Further filtering can be done by selecting specific technologies to conduct the search; if you need to. Threat hunters and advanced users will benefit from our Advanced Query Builder, which allows you to quickly search deep in the data model without having to be a programmer or data engineer.
00;02;12;25 - 00;02;28;29
Event based searching allows you to further narrow your search if you're looking for specific security events such as email delivery activity, incident findings, or vulnerability findings.
00;02;29;01 - 00;03;07;23
Query has a robust technology integration library that grows by the day. Data in tools like CrowdStrike, Entra ID, and Okta are considered static schema data and can be added within minutes by providing the documented API keys. Complex data integrations such as AWS Security Lake, Splunk, Snowflake, and AWS S3 are considered dynamic schema platforms. Query has created a wizard-like interface to simplify the integration of these sources, without requiring complex and expensive data engineering on-staff to do so.
00;03;07;26 - 00;03;26;00
Whichever method you choose, you'll be conducting searches within minutes of doing so, whether you're responding to an urgent incident, onboarding a new data source for a threat hunt, or providing enhanced capability for your security operators.
00;03;26;02 - 00;03;52;29
Finally, Query Labs is always providing enhancements and quality of life widgets to meet the analysts where they are for their investigation. For example, we have a Chrome browser extension that enables you to highlight any indicator of compromise and immediately search it in Query. We also have our Query Splunk App in Splunkbase to expand alerts, detections, and investigations inside of Splunk without negatively impacting your license model.
00;03;53;02 - 00;04;11;26
Query is the first and only company tackling the daily data challenges facing security teams with a fully federated approach. Whether leveraging the capabilities of Query through our UI, our API, or our Splunk app, the power of choice and control over your security data is now truly yours.