Query

In case you missed it... 😖 SOC Analyst #1: Tell me again, why don’t we store all of the observability and network logging data in the data lake? 😇 SOC Analyst #2: Well, that would be a lot of data to keep indefinitely! 🤦 SOC Analyst #1: Uh, yeah, duh. The IT Ops team has it though, it’s inside of Amazon OpenSearch Service. 😨 SOC Analyst #2: Don’t you need to know Lucene to get at the data? 🤓 SOC Analyst #3: Actually, I am pretty sure it is a domain specific language… 😆 SOC Manager: You’re both right, it can use either, or a graphical interface. 😠 SOC Analyst #1: Okay, that’s well and good, but we got off the SIEM and moved to the data lake and I feel we’re still missing stuff. I thought cheap storage was the reason to get off of the old SIEM?! 🤓 SOC Manager: Well, those things tend to equal out, we also have to be careful with our compute charges. 🤑 SOC Analyst #3: They always get you! 😮💨 SOC Analyst #1: Alright, fine, I’m here to do SecOps not to do FinOps…even if IT does give us access, I don’t miss having to search across a bunch of different indices and learn another query language. Ain’t no one got time for that! Any chance https://hubs.li/Q02-pp7P0 can help us dodge that bullet again? 😤 SOC Analyst #2: Hold on. [TYPES FURIOUSLY] Yes! They are working on an Amazon OpenSearch Service integration right now! No Lucene, no DSL, no one-index-at-a-time – just like they do it for our lake and our other tools! 😀 SOC Manager: Yes…says they will handle all of the query translation, and normalize the data in OCSF like everything else, so we can reuse a lot of our playbooks and automation content. 😍 SOC Analyst #1: LFG! I love OpenSearch Service and Query together. Nothing is beyond our reach! 😎 SOC Analyst #2: Based. Read more: https://hubs.li/Q02-pdDW0 #opensearch #opensearchservice #loganalytics #elk #siem #federatedsearch #observability #aws

Does your 2024 Wrapped look something like this? 👀

Great announcements coming from AWSReInvent this week. Query is working with security teams to use AWS to achieve a #SECDATAOPS advantage. We enable security teams to get value from (links in comments): • Amazon S3/Glue/Athena: Support for any data lake built on S3 with any table format - map any data into OCSF and query via Athena - we support Hive/Glue tables as well as Hudi, Iceberg, and Delta Lake • Amazon Security Lake: Automatic support for any Security Lake version and table format (Glue/Iceberg) via Athena. Support for custom sources and AWS sources up to OCSF 1.3.0 • Amazon OpenSearch Service: Support for mapping and querying any data in any Index in OpenSearch Service using IAM Role based authentication • Splunk App - Plug us into your Splunk instance and immediately expand the data reach of your Splunk into AWS and beyond (30+ integrations) Coming soon: • Amazon Redshift: Support Redshift Classic and Redshift Serverless by querying any table, view, or materialized view—including External Catalogs—same experience as our other dynamic connectors: map your data into OCSF with Configure Schema and we support normalization/translation of queries and results Why our customers (and Amazonians) are using Query: • Support ANY Data Architecture choice: Warehouse, Lakehouse, SIEM, or any combo! • Automatic Query language translation: Master query languages without GenAI hallucinations • Automatic search result normalization into OCSF: search, pivot, filter, and visualize across ANY disparate data sources • Two-way Splunk support: Federation to AND from any type of Splunk or Splunk Cloud deployment • Data sovereignty and data security: data is never duplicated nor moved outside of the AWS Cloud More about our partnership with AWS (links in comments): 🤝 The Query & Amazon Security Lake solution 😗🤔 Webcast: AWS' Ross Warren and Query's Jon Rau 🇬🇧 Partnering with HOOP Cyber to deploy Amazon Security Lake and Query solutions in EMEA 🌎 Query in the Amazon Marketplace Thanks to Ross Warren, David Lewis, Ella Gille, Mark Terenzoni, and Ashok Mahajan for fantastic support! #awsreinvent #amazonsecuritylake #aws #hoopcyber

👋 SOC Analyst #1: So how is the enrichment project going on the security data lake? 🤔 Detection Engineer: Ehh, it’s going alright. Still getting a handle on the data schema and the costs of the solution. 💡 SOC Analyst #2: Why don’t we just buy one of those SOAR tools? 🛑 SOC Analyst #3: Woah! Stop! You cannot call it SOAR anymore. The Magic Conch demands it. 🐚 Everyone: All hail the Magic Conch! 😏 SOC Analyst #1: *coughs* I mean we only need to do look ups against IP addresses, domains, hostnames, and hashes in our TIP, how hard can that be?! 😤 Detection Engineer: Do you not know how many tables and views are in this dang lake? Not to mention sources in the SIEM from the M&A, and other places. Also our TIP - MISP - has at least 100 types. It’s a lot to do! 🤨 SOC Analyst #2: Explains why the definitely-not-a-SOAR tool would be so expensive. 🤓 SOC Analyst #3: Doesn’t our federated search tool, Query, integrate with MISP now? 🤯 Detection Engineer: WHAT?!?! Why don’t you guys ever tell me about these things? 🤬 SOC Analyst #1: Why did you take our SIEM away?! 🙄 SOC Manager: Alright, alright. Everyone, calm down. Again, the data lake project was not solely decided by us. But yes, Query supports an integration with MISP. Any Entity we search for in Query will pull the results from MISP and collate it with the rest of the results. We can also search for any other indicator as required using the OSINT Inventory Info event class. 😎 Detection Engineer: I did not get as far as I wanted anyway, this is honestly great, I can build more complex automation against the Query API instead since this works. Let’s see how this works [TYPES IN A FEW IP ADDRESSES] Okay…and…WOW. All of the logs from the WAF, the VPCs, the load balancers, from the M&A SIEM, and from MISP are there! 😂 SOC Analyst #1: See, with Query, even the work we do outside of the tool benefits from it! Nothing is beyond our reach! Read more: https://hubs.li/Q02-rqC_0 #osint #cti #attack #misp #opencti #indicators #threatintel

An Absolute Beginners Guide to OCSF From Query: Everything You Wanted To Know About OCSF but Were Afraid To Ask! Read the guide: https://hubs.li/Q02-n8pT0 #ocsf #SIEM #secdataops

In case you missed it... 🖖 SOC Manager: Hey folks, you have probably heard that our deal with Big Rocket Co. has closed! Guess who the lucky SecOps team is that will ensure security during the M&A!? 😏 SOC Analyst #1: Let me guess…another MSSP?! 😂 SOC Manager: Lol. No. Us, it’s us! ❓ SOC Analyst #2: I’ve never done M&A before, what security technology does Big Rocket Co. use? 🤓 SOC Manager: Well, they *were* using a MSSP, but not anymore. They used Google Security Operations as their SIEM. It used to be called Chronicle back in the day. They kept the SIEM, though. 😖SOC Analyst #1: I swear, we just migrated away from our SIEM, and now we have another SIEM?! 😣 SOC Analyst #2: Not only that, what other query languages do you have to learn now? [SMASHES KEYBOARD WITH ANNOYANCE] Oh…Unified Data Model…UDM? 😤 SOC Manager: Folks, folks…please. We are all good! Query has a Connector for Google SecOps. It will handle the query translation into UDM, it will normalize the results to OCSF, it will smartly search the data they have just like it does for all of our Connectors that we have in Query Federated Search. 🎉SOC Analyst #2: Wow, Query makes it almost *too easy* for us! It’s like they know what we’re thinking?!? 😍SOC Manager: Our first priority is to check if there are any critical alerts from their onboarded datasets, let’s normalize some OCSF Detection Findings based on what they have in there. I have all of their Feed Names in a document from the M&A due diligence. 🗣️SOC Analyst #2: Aye-aye cap’n, this will be far too easy! Read more: https://hubs.li/Q02-bZvp0 #googlesecops #googlesecurityoperations #nextgensiem #gcp #siem #federatedsearch #observability #chronicle

Excited to be co-hosting with the phenomenal Query team and Adam Page next Thursday! The topic of central ingestion spiralling out of control is a widespread problem across the enterprise. Not too many are happy with their bloated SIEM bills and complexities. Come join us in discussing the significant benefits of Federated Search to help improve your security data strategy. We have a couple of seats still open. Please RSVP here: https://lnkd.in/eFqXsKDj Austin Rappeport Neal Bridges Matt Eberhart David Wheeler Billy Smith Matt Anthony Ronald Hoering Matt Surabian Get It Taylored Steve Kazan Dan Burns Sriram Ramachandran Dhiraj Sharan Robert Rodriguez Liz Vagenas

What if cost prohibits you from having all of the data that you need to in the SIEM? How is your team tackling this balancing act? Want to hear more? Check out the full replay here: https://hubs.li/Q02Z-lCd0 #SIEM #CISO #datasecurity

Data is kind of like turkey. You can centralize it, it can be hard-to-reach, sometimes it's non-normalized, and ultimately it has to be stored somewhere. Query is like a chef.🧑🍳 We deliver prepared and ready to eat turkey, no matter where it’s coming from! #federatedsearch #ciso #soc