You’ll have results from any data source you integrate with Query, including data stored in your SIEMs, Data Lakes and Managed Search [e.g., Amazon Athena] applications and direct APIs across MDM, Identity, Endpoint Detection & Response (EDR), Cyber Threat Intelligence (CTI), and other tools.
This creates a much more agile and dynamic threat hunting environment because of your ability to quickly:
- Get access to data as needed across all supported and onboarded sources instead of having to switch between multiple systems.
- Search and normalize all of your data for threats — even overlapping data such as Defender, Carbon Black, and Crowdstrike (e.g., disparate data sources in the same capability set)
- Add and remove data sources in minutes to augment your search with additional systems, both security and non-security-related, as needed.
Your team receives a GuardDuty finding from the Threat List like “Unauthorized Access:S3/MaliciousIPCaller.Custom” which requires you to determine what actions were taken against the bucket in AWS CloudTrail, ownership data of the bucket, and other configuration risks from a CMDB or CSPM tool, and figure out what type of data was contained using a DLP or Data Classification tool.
With Query, you can onboard these data sources and have a normalized, context-rich visual display with a single search that queries the malicious IP address to search for other hits, or pulls all data related to the Amazon S3 Bucket, thereby reducing the amount of time spent resolving the incident. What would normally take hours of pivoting, is now gathered after one search.
If the email is found to contain a spoofed link, you have to investigate if any users clicked the link and if any information was provided. This requires the analyst to pivot to Zscaler, Cisco Umbrella, or other cloud content filtering system. Finally, the analyst has to pivot over to the EDR to see if anything is malicious on the endpoint, as well.
Depending on the severity of the situation, this investigation could take many hours. With Query, one search visualizes the relationship of each of these pivots and the investigation is reduced to minutes.