Running Federated Search from Splunk

Query's Splunk App displays real–time and historical data in your Splunk console by directly querying from the data sources' APIs when you run your federated search.

Getting Started with Search

For example, run a federated search to fetch events, associated devices, and user information for an IP you are investigating. This will run parallel queries into the platforms connected via Query and bring back results in real-time using the platforms' APIs.

| queryai search="ip = 172.16.16.10"

Note that you have to start with a pipe '|' in front of the app's queryai command, i.e. | queryai

Command Syntax and Additional Examples

Command Syntax

| queryai search=”field = value” platforms="platformA, platformB, platformC" timeout=60

Parameter Description

  • search mandatory parameter that has the federated search condition payload. See the What can you search for understanding searchable entities, objects, and events, and the search syntax.
  • platforms optional parameter that lets you pass the platform alias names you want to query from. Without this parameter, all platforms will be queried. You can review/configure alias names from the 'Connections' page in Query's Console at https://go.query.ai/.`
  • timeout optional numeric parameter specified in seconds. It let's you pass the maximum time you are willing to wait for results. Note that setting this timeout may lead to incomplete results as only the results obtained within that timeframe will be displayed.

Additional Examples

| queryai search="ip = 172.16.16.10"
| queryai search="email = [email protected]" timeout=60
| queryai search="ip = 172.16.16.10" platforms="S3, elastic, sentinel"

What can you search

The search parameter let's you specify what types of data you want to search by, and the conditions you want to put on that search. Start with familiarizing yourself with QDM (Query Data Model) Guide which is based on OCSF. Next, see the full QDM schema at:

📘

OCSF based Query Data Model (QDM)

  • View and browse the QDM at https://schema.query.ai/
  • In your search syntax, use the type's name instead of the display name. So, for example, use 'domain_info' instead of 'Domain Information'.

Regarding the types of data to search by, there are three:

  • Search by QDM Entity
  • Search by QDM Event
  • Search by QDM Object

Search by Entity

The QDM Entities are the common data types of interest seen across QDM Objects and Events, such as an IP Address or a File Hash. You can search by these more basic types to get a result set containing the QDM Events and Objects where these entities were observed. See the guide for QDM Entities. These are the supported QDM entities you can search by:

📘

Entities to Search

  • ip
  • username
  • hostname
  • email
  • url
  • file_name
  • file_hash
  • mac_address
  • process_name
  • resource_id

You can put conditions on the searchable entities to get matched events and objects.

Examples:

| queryai search="ip = 8.8.8.8"
| queryai search="file_hash = b5045d802394f4560280a7404af69263"
| queryai search="email = [email protected]

Search by Event

The QDM Events are the cybersecurity events of interest, such as Authentication Event. See this guide to understand QDM Events.

📘

Events to search

  • security_finding
  • vulnerability_finding
  • incident_finding
  • detection_finding
  • compliance_finding
  • authentication
  • authorize_session
  • file_activity
  • http_activity
  • process_activity
  • dns_activity
  • email_delivery_activity
  • network_activity
  • ...and more... (see full list at https://schema.query.ai/events.html)

You can put conditions on the searchable attributes of any class of events to get matched results. Use dots for hierarchically accessing attributes:

| queryai search="security_finding.severity_id = CRITICAL"

You can also do a wildcard search to get a list of events of that class:

| queryai search="security_finding = *"

Search by Object

The QDM Objects are the cybersecurity objects of interest, such as User Object. See the guide for QDM Objects.

📘

Objects to search

  • actor
  • agent
  • data_security
  • device
  • domain_info
  • domain_intelligence
  • file
  • file_intelligence
  • ip_intelligence
  • threat_intelligence
  • url_intelligence
  • user

You can put conditions on the searchable attributes of any class of objects to get matched results. Use dots for hierarchically accessing attributes:

| queryai search="user.email_addr = [email protected]"

You can also do a wildcard search to get a list of objects of that type:

| queryai search="user = *"

Search Conditions and Operators

Here are some common federated search operators you can use:

📘

Operators

  • = (Equals operator)
  • != (NotEquals operator)
  • *value* (Contains operator)
  • value* (StartsWith operator)
  • *value (EndsWith operator)
  • NOT (Boolean NOT operator)
  • AND/OR (Logical AND and OR operator)
  • IN (IN operator for list of csv values)
  • * (Search all)

Equality

Examples:

| queryai search="ip = 1.1.1.1"  
| queryai search="hostname = My-MacBookPro"

Starts with

Examples:

Note the trailing '*':

| queryai search="hostname = mac*"  
| queryai search="user.name = sam*"

Ends with

Examples:

Note the '*' at the beginning of the value:

| queryai search="hostname = *mac"  
| queryai search="user.name = *anand"

Contains

Examples:

| queryai search="hostname = *mac*"  
| queryai search="user.name = *ana*"

Wildcard

Search for all events of that QDM event class by using the wildcard '*'. Or use '*' in an attribute to get the objects/events that have a value for that attribute.

Examples:

| queryai search="authentication = *"
| queryai search="authentication.logon_type_id = *"
| queryai search="user.email_addr = *"

Noteworthy Scenarios

About case sensitivity

  • Values are case in-sensitive
  • Entities, events, objects, and their attribute names are case-sensitive

Checking for presence and absence (null or empty) of values

Here is an example of how you search for an attribute to have a non-empty value, for example, searching for users who have a valid value for email_addr:

| queryai search="user.email_addr = *"

Here is how you search for an attribute that does not have a value, i.e. checking for nulls. For example, searching for users whose email_addr is not set:

| queryai search="NOT user.email_addr = *"

Handling spaces, special characters, or reserved keywords in values

Value containing any reserved keywords (like AND, OR, NOT, IN), whitespaces, or special characters (like dots) should be enclosed inside single or double quotes. For example:

| queryai search="security_finding.severity_id = 'INFORMATIONAL'"
| queryai search="user.email_addr='[email protected]'"

Using dot(.) notation to access attribute hierarchy

As we covered earlier, you can use dot(.) notation to put conditions on a desired attribute in any event or object. For example:

| queryai search="user.devices.domain=xyzdomain"

Note that a maximum of three dots are allowed.

Parsing sub-fields from another value (or from _raw)

In the search results, you will see the top-level OCSF schema objects, events, and attributes. For more details on OCSF, please see Normalization and the OCSF Data Model

In scenarios where you have a value containing further fields, you can use SPL spath command to extract them. For example, the _raw field contains the native platform data mapped from OCSF's raw_data. For any content-specific use-cases, you can extract further fields from that native data by adding the spath pipe operation as ... | spath input=_raw(or simply ... | spath since splunk uses _raw as the default for the input parameter).