Query Comms: Dec 16 - Dec 20
Query + AWS Dev Day 2025
Join us on February 4th at 8:30AM at the AWS New York City Office for a hands-on workshop using Query Federated Search with Amazon Security Lake.
Attendees will:
Sign up to attend from the link below!
IP-API Integrated Into Query Federated Search
?? SOC Analyst #2: Hey! Check this out, Query is integrated with the IP-API Geolocation API!
? SOC Analyst #1: Okay…what does that do?
?? SOC Analyst #2: Yo genius, it’s in the name, it interacts with the IP-API Geolocation API…
?? SOC Analyst #1: Okay duh, I know what Query Connectors do, but what do we get from it? We just integrated MISP the other week.
?? SOC Analyst #2: The Geolocation API gets us a bunch of free geolocation metadata with lookups. IP-API has a bunch of telemetry access that gives us very precise geolocation correlation with IPs, we get Autonomous System data, we get reverse DNS, ISP details, and we can easily identify if the IPs are coming from cloud hosting, VPNs, mobile networks, or other known proxies.
?? SOC Analyst #1: Oh, okay, that’s interesting - so a bit more detailed than some of our other OSINT and Threat Intelligence Connectors we integrated?
?? SOC Analyst #2: Well, at least for IP addresses. It works for both IPv4 and IPv6, remember when we were investigating those suspicious IPs from Big Rocket Co. after the acquisition in their IdP? This would’ve made it just a bit faster to determine they were just partying in the Seychelles. MISP and the others have indicators, this is more generic data for nearly every IP.
?? SOC Analyst #1: Oh yeah, that would’ve made it easier, too many of these tools give us “bad” stuff when we don’t even know some times.
?? SOC Analyst #2: Exactly! No more issues there with IP addresses lookups, and we are not stuck in the days of our SIEM having to run playbooks or enriching every record all the time!
?? SOC Analyst #3: The Magic Conch says death to the legacy SIEM and SOAR!
?? Everyone: All Hail the Magic Conch!
ClickHouse Cloud Connector Integrated Into Query Federated Search
? SOC Manager: So how’s the merger looking, do you think we are almost done?
? CISO: From my perspective, we are good to go, the longer part is integrations with the shared services and product teams. Big Rocket Co. does make hardware after all, they did not have a huge IT or cybersecurity footprint.
领英推荐
?? SOC Manager: So what are we doing with their Google Chronicle deployment? Are we going to keep that?
?? CISO: While it is tempting to do so, I had you folks get off of our last SIEM, doesn’t make sense to go back. I have been talking with the Data & Analytics team, they have rolled out ClickHouse Cloud, ever heard of it?
?? SOC Manager: In passing maybe, it’s an OLAP database right?
?? CISO: Exactly. It’s well suited for near real-time analytics workloads. Since we have different data volume needs it would be great if the slower stuff made it to the data lake and the faster stuff into ClickHouse Cloud - we should do a POV - what do you think?
\?? SOC Manager: Yeah, we freed up resources from the M&A side, and we have everything in Query Federated Search. How hard is it to get data in it, our Detection Engineering team won’t be thrilled.
?? CISO: Very easy from what I understand. Writing is quick, they support DataFrames so it should be easy to port Parquet over and repurpose the enrichment pipelines your team worked on before Query integrated with MISP.
?? SOC Manager: Wow, I wonder how many other CISOs know what a DataFrame or OLAP is…
?? CISO: Chuckles I better not say! Anyway, reach out to Query, I bet it’s on their roadmap knowing them.
[SOME TIME LATER…]
?? SOC Manager: You were right, Query is actually working on it now. We can probably get on a demo with them to show us how it works and talk through the right fit for the right data.
?? CISO: Yeah, that would be great. I am working with them on doing a Security Data Operations Workshop. It would be great to talk more strategically about different data volumes and fitting them to the right repos for federation. Hey, what the heck is that?!
?? SOC Analyst #3: The magic conch says legacy SIEM flees in the sight of highspeed OLAP workloads!
?? CISO: Uhh…oh right - ahem - ALL HAIL THE MAGIC CONCH!
?? All SOC: HAIL! HAIL
United States Cyber and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Integrated Into Query Federated Search
Query did it again! We now integrate with CISA KEV, and can enrich data along the way with CVE metadata from one of Mitre’s APIs!
Webinar Replay + Podcast
#SecDataOpsCast —Why Do Security Products Suck?
On this episode of #SecDataOpsCast, Query CISO Neal Bridges on the joins Cybereason’s Jeffrey Golz and Query CPO Mike Bousquet for some straight talk on the biggest challenges in security operations. Hear their approach as they dig in to the root causes and solutions.