USE CASE
Incident Response
Exponentially Increase Incident Response Efficiency with Query Federated Search
Overview
Query Federated Search enables your incident responders (SOC Analysts, IR Analysts, Threat Hunters, Blue Teamers, etc.) to quickly search across all sources-of-truth in near real-time, optimizing the OODA Loop (Observe, Orient, Decide, and Act), and allowing you to efficiently find and understand the right data, make the best decisions, and remain agile.
Incident Response Challenges
Key challenges that organizations face when it comes to incident response.
Time Sensitivity
Time sensitivity is the number one challenge of incident response. Incidents require smooth action across IR workflows to both detect and respond effectively — sometimes expressed as lowering Mean Time To Detect (MTTD) and Mean Time to Respond (MTTR), respectively. The increase of data sources increases the amount of pivots and searches per investigation, which inevitably increases time to resolution.
Data Overload
Data overload makes swift searches difficult. Gathering and analyzing the vast amount of data generated during an incident can be overwhelming, often leading to delayed responses or missed critical information. Sorting through a high volume of alerts, raw logs, and various sources of data — especially when the data is overlapping — to distinguish between false positives and false negatives can be resource-intensive.
Cloud & Hybrid Environments
With the shift to cloud and hybrid infrastructures, incidents can occur across a diverse (and potentially overlapping) range of environments, making it challenging to monitor and respond effectively. Data is everywhere, and you need to be able to search it all.
Overlapping Entities
Overlapping identities and overlapping networks, where any number of VPCs across any number of accounts can have similar IP spaces, places a high cognitive load on analysts having to sort through similar data that can have minute differences (e.g., hostnames, IPs, domains or even different hashes/digital signatures) while still dealing with the same subject.
Incident Response with Query
With Query you can search all of your data from a single search bar without having to understand search syntax and process from each data source.
You’ll have results from any data source you integrate with Query, including data stored in your SIEMs, Data Lakes and Managed Search [e.g., Amazon Athena] applications and direct APIs across MDM, Identity, Endpoint Detection & Response (EDR), Cyber Threat Intelligence (CTI), and other tools.
This creates a much more agile and dynamic threat hunting environment because of your ability to quickly:
- Get access to data as needed across all supported and onboarded sources instead of having to switch between multiple systems.
- Search and normalize all of your data for threats — even overlapping data such as Defender, Carbon Black, and Crowdstrike (e.g., disparate data sources in the same capability set)
- Add and remove data sources in minutes to augment your search with additional systems, both security and non-security-related, as needed.
Using Query, threat hunts are much faster and more thorough.
USE CASE
Cloud Incident Response
Your security team collects Indicators of Compromise (IOC) from a Threat Intelligence Platform (TIP) such as IPs used as part of Command & Control (C2) or cryptojacking infrastructure, then enters them into various threat detection tools, such as Amazon GuardDuty.
Your team receives a GuardDuty finding from the Threat List like “Unauthorized Access:S3/MaliciousIPCaller.Custom” which requires you to determine what actions were taken against the bucket in AWS CloudTrail, ownership data of the bucket, and other configuration risks from a CMDB or CSPM tool, and figure out what type of data was contained using a DLP or Data Classification tool.
With Query, you can onboard these data sources and have a normalized, context-rich visual display with a single search that queries the malicious IP address to search for other hits, or pulls all data related to the Amazon S3 Bucket, thereby reducing the amount of time spent resolving the incident. What would normally take hours of pivoting, is now gathered after one search.
USE CASE
Phishing Incident Response
Your security team receives an alert from an email alerting system that says, “suspicious email detected after delivery.”” This phishing email and its wake need to be investigated. The security analyst will first look inside the alerting system (Proofpoint, Mimecast, Exchange Online Protection, etc.) to verify if the email is indeed malicious.
If the email is found to contain a spoofed link, you have to investigate if any users clicked the link and if any information was provided. This requires the analyst to pivot to Zscaler, Cisco Umbrella, or other cloud content filtering system. Finally, the analyst has to pivot over to the EDR to see if anything is malicious on the endpoint, as well.
Depending on the severity of the situation, this investigation could take many hours. With Query, one search visualizes the relationship of each of these pivots and the investigation is reduced to minutes.