USE CASE Threat Hunting Threat Hunting with Query Federated Search

Overview Query expands your visibility into hard to reach data across the enterprise, boosting the reach and efficiency of your threat hunting searches. With one search bar, analysts can search across all data integrations; bringing visibility and context to teams previously only available to the most senior team members.

Validate your hypothesis before spending hours writing new rules. Using Query, your threat hunting times will drop exponentially and you have the ability to search systems you otherwise may have neglected simply because it was too difficult to search.

Query gives you more relevant data, much faster.

Threat Hunting Challenges In order to effectively threat hunt, an analyst must have a strong understanding of their organization’s threat model that supports risk mitigation processes and the cybersecurity threat environment. A threat hunter must also understand a host of non-cybersecurity tools such as Structured Query Language (SQL) syntax, and languages like Python, Bash, and PowerShell. In addition, they need to know application specific syntax, e.g. the SIEM they might be using (SPL for Splunk, KQL for Microsoft Sentinel or M365, etc.). Imagine a world where you could remove the technical boundaries associated with diverse technology sets and simply get to the actual act of HUNTING for threats. This familiarity with threat hunting tools is critical to achieve, yet difficult to gain and maintain.

Threat Hunting with Query With Query you can search all of your data from a single search bar without having to understand search syntax and process from each data source.

You’ll have results from any data source you integrate with Query, including data stored in your SIEMs, Data Lakes and Managed Search [e.g., Amazon Athena] applications and direct APIs across MDM, Identity, Endpoint Detection & Response (EDR), Cyber Threat Intelligence (CTI), and other tools.

This creates a much more agile and dynamic threat hunting environment because of your ability to quickly:

• Get access to data as needed across all supported and onboarded sources instead of having to switch between multiple systems.
• Search and normalize all of your data for threats — even overlapping data such as Defender, Carbon Black, and Crowdstrike (e.g., disparate data sources in the same capability set)
• Add and remove data sources in minutes to augment your search with additional systems, both security and non-security-related, as needed.

Using Query, threat hunts are much faster and more thorough.

Threat Hunting If necessary, you can even remove the connection to Workday after the search to comply with your corporate controls.

Your search-and-gather list can expand to all of your systems, both security-focused (like SIEM and EDR) and non-security-focused (like S3, LDAP, or business systems like Workday), because you don’t have to worry about figuring out how to search the IP address and data sources of your non-security or otherwise unsearched technologies. You’re no longer bound to the systems that your team has access to. You connect to the system in question and have full visibility — increasing your security efficiency while reducing costs associated with data storage and transfer.

You can dentify more indicators faster than in traditional threat hunts, giving your incident response and security team more alerting capabilities and faster response, especially with emerging threats. That’s a win-win for an organization from a talent retention perspective. Identify a system that has data you need to hunt that isn’t currently in your SIEM or central data repository. Instead of onboarding the data into your SIEM, you can simply plug it into your federated search interface with an API key, hunt immediately, and then either leave it in the interface, or disconnect from it. “You get instant visibility with no additional costs and less time spent searching.”

Example:

Let’s say you receive an indicator that requires you to search data in Workday. Currently, you’re not gathering any Workday data in your SIEM. In order to include Workday in your search, you simply:

• Get an API key for Workday
• Plug that into Query, and
• Search the exact data you need within minutes

USE CASE