Query Engine 4.1.1
- 22 May 2022
- 4 Minutes to read
- DarkLight
- PDF
Query Engine 4.1.1
- Updated on 22 May 2022
- 4 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
tags: python | Query Automation | SIEM Query Engines
Description
Query Engine and Investigation Framework Automation is created on top of sensors connecting the CDC to various SIEM and EDRs such as Sentinel, Splunk, QRadar, Cybereason, ADX, etc. It supports CDC users by automating their ability to run queries on different SIEMs. These SIEMs are configured for the customer within the CDC itself.
As part of alert triage and investigation, analysts typically run predictable queries using SIEM and EDR, in response to specific alerts. Instead of automating these individual queries for them, CyberProof has developed a mechanism that allows CDC analysts to configure CDC to automatically run specific SIEM and EDR queries in response to specific alerts.
The query engine runs the query in response to an alert. To make this process simpler, we have created an alias for each query, and analysts can run the query by passing alias details in the CLI. We have enabled the upload of use cases and query files using CDC commands. These commands allow analysts to add/modify the queries/automations, with no additional effort required from the Integrations team.
The queries accept parameter values from the alert/observables. We use features of the CSV preview to showcase the output returned in CSV. This preview is shown on the CDC screen itself.
| Integration Type: | Automation |
| Information read: | Alert/observable provided as parameter and corresponding SIEM/EDR queries to fetch the required results. |
| API Supported: | All existing sensors to communicate to SIEM and EDR. |
| Input: | Alert/observables and query alias details. |
| Output: | Detailed output from SIEM/EDR as per the specific queries run by the analyst. Or appropriate error message if no matching results/any error in execution. |
CDC Command Lines
- automate_query_execution_cli
The CLI of the CDC, for manually triggering the automated query execution workflow in the CDC message thread. Important point to note: Input 'debug_message' must be a boolean value(true/false).
| Option | Type | Description | Required |
|---|---|---|---|
| alert_id | string | The alert_id to work upon. | False |
| debug_message | boolean | The debug flag to display messages in chat; e.g., true/false. | False |
- execute_query_using_alias_cli
The CLI of the CDC, for manually executing queries using query_alias in the CDC message thread. Important point to note: Input 'debug_message' must be a boolean value(true/false).
| Option | Type | Description | Required |
|---|---|---|---|
| query_alias | string | The query_alias of the query to be executed. | True |
| query_parameters | object | The object to be replaced in the query to be executed. | False |
| alert_id | string | The alert_id to work upon. | False |
| debug_message | boolean | The debug flag to display messages in chat; e.g., true/false. | False |
- get_query_details_and_download_file_cli
This CLI of the CDC is used to fetch use-case query details, as well as to enable the downloading of a file if selected. Important point to note: Input 'download_file' must be a boolean value (true/false).
| Option | Type | Description | Required |
|---|---|---|---|
| download_file | boolean | Attach the file in the original format. | False |
- upload_config_cli
This CLI of the CDC is used to upload files from CDC to Azure Blob. Note that at least one of use case config or rule config file name needs to be mentioned. Input files for this CLI should be mandatorily in ".yaml" format only. Input 'overwrite' must be a boolean value (true/false). While running the CLI, enter Incident ID or Channel ID or Alert ID (in CDC version < 2.2).
| Option | Type | Description | Required |
|---|---|---|---|
| alert_id | string | Alert ID | False |
| incident_id | string | Incident ID | False |
| channel_id | string | Channel ID | False |
| rules_config_file_name | string | Rules config file name | False |
| use_case_config_file_name | string | Use case config file name | False |
| overwrite | boolean | Overwrite flag status | False |
Workflows
automate_query_execution
This workflow will be triggered when a new alert is created in the CDC.check_pack_installed
This is a sub-workflow for identifying packs' installed status.execute_query
This workflow preprocesses the query and maps parameters from config to the query definition.execute_query_for_adx
This workflow will execute the query definition and return the Redis key.execute_query_for_ms_defender
This workflow will execute the query definition and return the Redis key.execute_query_for_qradar
This workflow will execute the query definition and return the Redis key.execute_query_for_sentinel
This workflow will execute the query definition and return the Redis key.execute_query_for_splunk
This workflow will execute the query definition and return the Redis key.execute_use_case_query
This is a sub-workflow for an alert-created workflow.fetch_query_details
This workflow will read the rule configuration from Azure Blob storage and fetch query details and perform additional checks.get_file_content_subworkflow
This workflow is used to get the content of the yaml file attached to a CDC incident, alert, or channel.get_query_details
This workflow is used for getting details about a query.identify_pack_per_query
This is a sub-workflow for identifying packs' installed status.post_message_cdc
Post the message on CDC in the channel/alert/incident/thread.upload_to_cdc
Upload query data to the CDC.validate_alert_trigger_condition
This workflow will find matching queries with specified trigger conditions.
Rules
- new_alert_listener
Triggering an automate_query_execution workflow when an alert is created in the CDC.
Sensors
No sensors
Triggers
No triggers
Known Issues
No known issues
Was this article helpful?