Running Federated Search from Splunk

Suggest Edits

Query's Splunk App displays real–time and historical data in your Splunk console by directly querying from the data sources' APIs when you run your federated search.

Getting Started with Search

For example, run a federated search to fetch events, associated devices, and user information for an IP you are investigating. This will run parallel queries into the platforms connected via Query and bring back results in real-time using the platforms' APIs.

| queryai search="ip = 172.16.16.10"

Note that you have to start with a pipe '|' in front of the app's queryai command, i.e. | queryai

Command Syntax and Additional Examples

Command Syntax

| queryai search=”field = value” platforms="platformA, platformB, platformC" timeout=60

Parameter Description

  • search mandatory parameter that has the federated search condition payload. See the What can you search for understanding searchable entities, objects, and events, and the search syntax.
  • platforms optional parameter that lets you pass the platform alias names you want to query from. Without this parameter, all platforms will be queried. You can review/configure alias names from the 'Connections' page in Query's Console at https://go.query.ai/.`
  • timeout optional numeric parameter specified in seconds. It let's you pass the maximum time you are willing to wait for results. Note that setting this timeout may lead to incomplete results as only the results obtained within that timeframe will be displayed.

Additional Examples

| queryai search="ip = 172.16.16.10"
| queryai search="email = [email protected]" timeout=60
| queryai search="ip = 172.16.16.10" platforms="S3, elastic, sentinel"

What can you search

The search parameter let's you specify what types of data you want to search by, and the conditions you want to put on that search. Start with familiarizing yourself with QDM (Query Data Model) Guide which is based on OCSF. Next, see the full QDM schema at:

📘

QDM Schema

  • View and browse the QDM at https://schema.query.ai/
  • In your search syntax, use the type's name instead of the display name. So, for example, use 'domain_info' instead of 'Domain Information'.

Regarding the types of data to search by, there are three:

  • Search by QDM Event
  • Search by QDM Object
  • Search by QDM Entity

Search by QDM Event

The QDM Events are the cybersecurity events of interest, such as Authentication Event. See the guide for QDM Events.

You can put conditions on the searchable attributes of any class of events to get matched results. You can also do a wildcard search to get a list of events by that class.

Examples:

| queryai search="security_finding = *"
| queryai search="security_finding.severity_id = Critical"

Search by QDM Object

The QDM Objects are the cybersecurity objects of interest, such as User Object. See the guide for QDM Objects.

You can put conditions on the searchable attributes of any class of objects to get matched results.

Examples:

| queryai search="user = *"
| queryai search="user.email_addr = [email protected]"

Search by QDM Entity

The QDM Entities are the common data types of interest seen across QDM Objects and Events, such as an IP Address or a File Hash. You can search by these more basic types to get a result set containing the QDM Events and Objects where these entities were observed. See the guide for QDM Entities. These are the supported QDM entities you can search by:

📘

Entities supported in Entity Search

ip, username, hostname, email, url, file_name, file_hash

You can put conditions on the searchable entities to get matched events and objects.

Examples:

| queryai search="ip = 8.8.8.8"
| queryai search="file_hash = b5045d802394f4560280a7404af69263"
| queryai search="email = [email protected]"

Search Conditions

Here are some common federated search operators you can use:

Equality

Examples:

| queryai search="ip = 1.1.1.1"  
| queryai search="hostname = My-MacBookPro"

Starts with

Examples:

Note the trailing '*':

| queryai search="hostname = mac*"  
| queryai search="user.name = sam*"

Ends with

Examples:

Note the '*' at the beginning of the value:

| queryai search="hostname = *mac"  
| queryai search="user.name = *anand"

Contains

Examples:

| queryai search="hostname = *mac*"  
| queryai search="user.name = *ana*"

Wildcard

Search for all events of that QDM event class by using the wildcard '*'. Or use '*' in an attribute to get the objects/events that have a value for that attribute.

Examples:

| queryai search="authentication = *"
| queryai search="authentication.logon_type_id = *"
| queryai search="user.email_addr = *"

Field Extraction

In the search results, you will see the top-level OCSF schema objects, events, and attributes. For more details on OCSF, please see Normalization and the OCSF Data Model

The _raw field contains the native platform data mapped from OCSF's raw_data. For any content-specific use-cases, you can extract further fields from that native data by adding the spath pipe operation as ... | spath input=_raw

Updated 3 months ago