Running Federated Search from Splunk
Query's Splunk App displays real–time and historical data in your Splunk console by directly querying from the data sources' APIs when you run your federated search.
Getting Started with Search
For example, run a federated search to fetch events, associated devices, and user information for an IP you are investigating. This will run parallel queries into the platforms connected via Query and bring back results in real-time using the platforms' APIs.
| queryai search="ip = 172.16.16.10"
Note that you have to start with a pipe '|' in front of the app's queryai command, i.e. | queryai
Command Syntax and Additional Examples
Command Syntax
| queryai search=”field = value” platforms="platformA, platformB, platformC" timeout=60
Parameter Description
search
mandatory parameter that has the federated search condition payload. See the What can you search for understanding searchable entities, objects, and events, and the search syntax.platforms
optional parameter that lets you pass the platform alias names you want to query from. Without this parameter, all platforms will be queried. You can review/configure alias names from the 'Connections' page in Query's Console at https://go.query.ai/.`timeout
optional numeric parameter specified in seconds. It let's you pass the maximum time you are willing to wait for results. Note that setting this timeout may lead to incomplete results as only the results obtained within that timeframe will be displayed.
Additional Examples
| queryai search="ip = 172.16.16.10"
| queryai search="email = [email protected]" timeout=60
| queryai search="ip = 172.16.16.10" platforms="S3, elastic, sentinel"
What can you search
The search
parameter let's you specify what types of data you want to search by, and the conditions you want to put on that search. Start with familiarizing yourself with QDM (Query Data Model) Guide which is based on OCSF. Next, see the full QDM schema at:
QDM Schema
- View and browse the QDM at https://schema.query.ai/
- In your search syntax, use the type's name instead of the display name. So, for example, use 'domain_info' instead of 'Domain Information'.
Regarding the types of data to search by, there are three:
- Search by QDM Event
- Search by QDM Object
- Search by QDM Entity
Search by QDM Event
The QDM Events are the cybersecurity events of interest, such as Authentication Event. See the guide for QDM Events.
You can put conditions on the searchable attributes of any class of events to get matched results. You can also do a wildcard search to get a list of events by that class.
Examples:
| queryai search="security_finding = *"
| queryai search="security_finding.severity_id = Critical"
Search by QDM Object
The QDM Objects are the cybersecurity objects of interest, such as User Object. See the guide for QDM Objects.
You can put conditions on the searchable attributes of any class of objects to get matched results.
Examples:
| queryai search="user = *"
| queryai search="user.email_addr = [email protected]"
Search by QDM Entity
The QDM Entities are the common data types of interest seen across QDM Objects and Events, such as an IP Address or a File Hash. You can search by these more basic types to get a result set containing the QDM Events and Objects where these entities were observed. See the guide for QDM Entities. These are the supported QDM entities you can search by:
Entities supported in Entity Search
ip, username, hostname, email, url, file_name, file_hash
You can put conditions on the searchable entities to get matched events and objects.
Examples:
| queryai search="ip = 8.8.8.8"
| queryai search="file_hash = b5045d802394f4560280a7404af69263"
| queryai search="email = [email protected]"
Search Conditions
Here are some common federated search operators you can use:
Equality
Examples:
| queryai search="ip = 1.1.1.1"
| queryai search="hostname = My-MacBookPro"
Starts with
Examples:
Note the trailing '*':
| queryai search="hostname = mac*"
| queryai search="user.name = sam*"
Ends with
Examples:
Note the '*' at the beginning of the value:
| queryai search="hostname = *mac"
| queryai search="user.name = *anand"
Contains
Examples:
| queryai search="hostname = *mac*"
| queryai search="user.name = *ana*"
Wildcard
Search for all events of that QDM event class by using the wildcard '*'. Or use '*' in an attribute to get the objects/events that have a value for that attribute.
Examples:
| queryai search="authentication = *"
| queryai search="authentication.logon_type_id = *"
| queryai search="user.email_addr = *"
Field Extraction
In the search results, you will see the top-level OCSF schema objects, events, and attributes. For more details on OCSF, please see Normalization and the OCSF Data Model
The _raw
field contains the native platform data mapped from OCSF's raw_data. For any content-specific use-cases, you can extract further fields from that native data by adding the spath
pipe operation as ... | spath input=_raw
Updated 3 months ago