- 14 Jun 2022
- 4 Minutes to read
- DarkLight
- PDF
Query Engine 6.1.0
- Updated on 14 Jun 2022
- 4 Minutes to read
- DarkLight
- PDF
tags: python | Query Automation | SIEM Query engines
Description
Query Engine and Investigation Framework Automation is created on top of sensors connecting the CDC to various SIEM and EDRs such as Sentinel, Splunk, QRadar, Cybereason, ADX, etc. It supports CDC users by automating their ability to run queries on different SIEMs. These SIEMs are configured for the customer within the CDC itself.
As part of alert triage and investigation, analysts typically run predictable queries using SIEM and EDR, in response to specific alerts. Instead of automating these individual queries for them, CyberProof has developed a mechanism that allows CDC analysts to configure CDC to automatically run specific SIEM and EDR queries in response to specific alerts.
The query engine runs the query in response to an alert. To make this process simpler, we have created an alias for each query, and analysts can run the query by passing alias details in the CLI. We have enabled the upload of use cases and query files using CDC commands. These commands allow analysts to add/modify the queries/automations, with no additional effort required from the Integrations team.
The queries accept parameter values from the alert/observables. We use features of the CSV preview to showcase the output returned in the CSV. This preview is shown on the CDC screen itself.
| Integration Type: | Automation | 
| Information read: | Alert/observable provided as parameter and corresponding SIEM/EDR queries to fetch the required results. | 
| API Supported: | All existing sensors to communicate to SIEM and EDR. | 
| Input: | Alert/observables and query alias details. | 
| Output: | Detailed output from SIEM/EDR as per the specific queries run by the analyst. Or appropriate error message if no matching results/any error in execution. | 
Customer Configuration
No specific configuration required on the customer's end.
CDC Command Lines
* **automate_query_execution_cli**
 The CLI of the CDC, for manually triggering the automated query execution workflow in the CDC message thread. Note that Input 'debug_message' must be a boolean value (true/false).
| Option | Type | Description | Required | 
|---|---|---|---|
| alert_id | string | The alert_id to work upon. | False | 
| debug_message | boolean | The debug flag to display messages in chat; e.g., true/false. | False | 
* **execute_query_using_alias_cli**
 The CLI of the CDC, for manually executing queries using query_alias in the CDC message thread. Note that Input 'debug_message' must be a boolean value (true/false).
| Option | Type | Description | Required | 
|---|---|---|---|
| query_alias | string | The query_alias of the query to be executed. | True | 
| query_parameters | object | The object to be replaced in the query to be executed. | False | 
| alert_id | string | The alert_id to work upon. | False | 
| debug_message | boolean | The debug flag to display messages in the chat; e.g., true/false. | False | 
* **get_query_details_and_download_file_cli**
 This CLI of the CDC is used to fetch use-case query details, as well as to enable the downloading of a file if selected. Note that Input 'download_file' must be a boolean value (true/false).
| Option | Type | Description | Required | 
|---|---|---|---|
| download_file | boolean | Attach the file in the original format. | False | 
* **upload_config_cli**
 This CLI of the CDC is used to upload files from the CDC to Azure Blob. Note that at least one of the use case configuration or rule configuration file names need to be mentioned. Input files for this CLI should be mandatorily in ".yaml" format only. Input 'overwrite' must be a boolean value (true/false). While running the CLI, enter Incident ID or Channel ID or Alert ID (in CDC version < 2.2).
| Option | Type | Description | Required | 
|---|---|---|---|
| alert_id | string | Alert ID | False | 
| incident_id | string | Incident ID | False | 
| channel_id | string | Channel ID | False | 
| rules_config_file_name | string | Rules configuration file name. | False | 
| use_case_config_file_name | string | Use case configuration file name. | False | 
| overwrite | boolean | Overwrite flag status. | False | 
Workflows
* **automate_query_execution**
 This workflow will be triggered when a new alert is created in the CDC.
* **automate_schedule_query_execution**
 This workflow will be triggered from Logic App for running static scheduled queries.
* **check_pack_installed**
 This is a sub-workflow for identifying packs' installed status.
* **execute_query**
 This workflow preprocesses the query and maps parameters from the configuration to the query definition.
* **execute_query_for_adx**
 This workflow will execute the query definition and return the Redis key.
* **execute_query_for_ms_defender**
 This workflow will execute the query definition and return the Redis key.
* **execute_query_for_qradar**
 This workflow will execute the query definition and return the Redis key.
* **execute_query_for_sentinel**
 This workflow will execute the query definition and return the Redis key.
* **execute_query_for_splunk**
 This workflow will execute the query definition and return the Redis key.
* **execute_use_case_query**
 This is a sub-workflow for an alert-created workflow.
* **fetch_blob_configs**
 This workflow will rule, use_case abd chart configuration from Azure storage in parallel.
* **fetch_query_details**
 This workflow will read the rule configuration from Azure Blob storage and fetch query details and perform additional checks.
* **get_cdc_version**
 Get the CDC version.
* **get_file_content_subworkflow**
 This workflow is used to get the content of the yaml file attached to a CDC incident, alert, or channel.
* **get_query_details**
 This workflow is used for getting details about a query.
* **identify_pack_per_query**
 This is a sub-workflow for identifying packs' installed status.
* **post_message_cdc**
 Post the message on the CDC in the channel/alert/incident/thread.
* **prerequisites_fetch**
 Fetched the prerequisites for validation and execution of queries.
* **schedule_query**
 Runs the scheduled query from Logic App.
* **upload_to_cdc**
 Upload the query data to the CDC.
* **upload_to_cdc_2**
 Upload the query data to the CDC, and display a vega chart under the graph section of the CDC (for 2.7 versions and above).
* **validate_alert_trigger_condition**
 This workflow will find matching queries with specified trigger conditions.
Rules
* **new_alert_listener**
 Triggering an automate_query_execution workflow when an alert is created in the CDC.
Sensors
No sensors.
Triggers
No triggers.
Policies
| Name | Type | Description | Resource | Policy Action | Threshold | 
|---|---|---|---|---|---|
| automate_query_execution_policy | action.concurrency | Limits the concurrent executions for automate_query_execution | query_engine.automate_query_execution | cancel | 20 | 
Known Issues
No known issues.
