Validate your hypothesis before spending hours writing new rules. Using Query, your threat hunting times will drop exponentially and you have the ability to search systems you otherwise may have neglected simply because it was too difficult to search.
Query gives you more relevant data, much faster.
You’ll have results from any data source you integrate with Query, including data stored in your SIEMs, Data Lakes and Managed Search [e.g., Amazon Athena] applications and direct APIs across MDM, Identity, Endpoint Detection & Response (EDR), Cyber Threat Intelligence (CTI), and other tools.
This creates a much more agile and dynamic threat hunting environment because of your ability to quickly:
- Get access to data as needed across all supported and onboarded sources instead of having to switch between multiple systems.
- Search and normalize all of your data for threats — even overlapping data such as Defender, Carbon Black, and Crowdstrike (e.g., disparate data sources in the same capability set)
- Add and remove data sources in minutes to augment your search with additional systems, both security and non-security-related, as needed.
Your search-and-gather list can expand to all of your systems, both security-focused (like SIEM and EDR) and non-security-focused (like S3, LDAP, or business systems like Workday), because you don’t have to worry about figuring out how to search the IP address and data sources of your non-security or otherwise unsearched technologies. You’re no longer bound to the systems that your team has access to. You connect to the system in question and have full visibility — increasing your security efficiency while reducing costs associated with data storage and transfer.
You can dentify more indicators faster than in traditional threat hunts, giving your incident response and security team more alerting capabilities and faster response, especially with emerging threats. That’s a win-win for an organization from a talent retention perspective.
Example:
Let’s say you receive an indicator that requires you to search data in Workday. Currently, you’re not gathering any Workday data in your SIEM. In order to include Workday in your search, you simply:
- Get an API key for Workday
- Plug that into Query, and
- Search the exact data you need within minutes