Query Engine 6.4.2
- 06 Apr 2025
- 4 Minutes to read
- DarkLight
- PDF
Query Engine 6.4.2
- Updated on 06 Apr 2025
- 4 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Query Engine - 6.4.2
tags: python | Query Automation | SIEM Query engines
Table of Contents
Description
Query Engine and Investigation Framework Automation is created on top of sensors connecting the CDC to various SIEM and EDRs such as Sentinel, Splunk, QRadar, Cybereason, ADX, etc. It supports CDC users by automating their ability to run queries on different SIEMs. These SIEMs are configured for the customer within the CDC itself.
As part of alert triage and investigation, analysts typically run predictable queries using SIEM and EDR, in response to specific alerts. Instead of automating these individual queries for them, CyberProof has developed a mechanism that allows CDC analysts to configure CDC to automatically run specific SIEM and EDR queries in response to specific alerts.
The query engine runs the query in response to an alert. To make this process simpler, we have created an alias for each query, and analysts can run the query by passing alias details in the CLI. We have enabled the upload of use cases and query files using CDC commands. These commands allow analysts to add/modify the queries/automations, with no additional effort required from the Integrations team.
The queries accept parameter values from the alert/observables. We use features of the CSV preview to showcase the output returned in CSV. This preview is shown on the CDC screen itself.
| Integration Type: | Automation |
| Information read: | Alert/observable provided as parameter and corresponding SIEM/EDR queries to fetch the required results. |
| API Supported: | All existing Sensors to communicate to SIEM and EDR. |
| Input: | Alert/Observables and query alias details. |
| Output: | Detailed output from SIEM/EDR as per the specific queries run by the analyst. Or appropriate error message if no matching results/any error in execution. |
Customer Configuration
No specific configuration required at customer end.
CDC Command Lines
* **automate_query_execution_cli**
The CLI of the CDC, for manually triggering the automated query execution workflow in the CDC message thread. Important point to note : Input 'debug_message' must be a boolean value(true/false).
| Option | Type | Description | Required |
|---|---|---|---|
| alert_id | string | The alert_id to work upon. | False |
| debug_message | boolean | The debug flag to display messages in chat; e.g., true/false. | False |
* **execute_query_using_alias_cli**
The CLI of the CDC, for manually executing queries using query_alias in the CDC message thread. Important point to note : Input 'debug_message' must be a boolean value(true/false)
| Option | Type | Description | Required |
|---|---|---|---|
| query_alias | string | The query_alias of the query to be executed. | True |
| query_parameters | object | The object to be replaced in the query to be executed. | False |
| alert_id | string | The alert_id to work upon. | False |
| debug_message | boolean | The debug flag to display messages in chat; e.g., true/false. | False |
* **get_query_details_and_download_file_cli**
This CLI of the CDC is used to fetch use-case query details, as well as to enable the downloading of a file if selected. Important point to note : Input 'download_file' must be a boolean value(true/false).
| Option | Type | Description | Required |
|---|---|---|---|
| download_file | boolean | Attach the file in the original format. | False |
* **upload_config_cli**
This CLI of the CDC is used to upload files from CDC to Azure Blob. Note that at least one of use case config or rule config file name needs to be mentioned. Input files for this CLI should be mandatorily in ".yaml" format only. Input 'overwrite' must be a boolean value (true/false).While running the CLI, enter Incident ID or Channel ID or Alert ID (in CDC version < 2.2).
| Option | Type | Description | Required |
|---|---|---|---|
| alert_id | string | Alert ID | False |
| incident_id | string | Incident ID | False |
| channel_id | string | Channel ID | False |
| rules_config_file_name | string | Rules config file name | False |
| use_case_config_file_name | string | Use case config file name | False |
| chart_config_file_name | string | Chart config file name | False |
| overwrite | boolean | Overwrite flag status | False |
Workflows
* **automate_query_execution**
This workflow will be triggered when a new alert is created in the CDC.
* **automate_schedule_query_execution**
This workflow will be triggered from logic app for running static scheduled queries.
* **check_pack_installed**
This is a sub-workflow for identifying packs' installed status.
* **execute_query**
This workflow preprocesses the query and maps parameters from config to the query definition.
* **execute_query_for_adx**
This workflow will execute the query definition and return the redis key.
* **execute_query_for_ms_defender**
This workflow will execute the query definition and return the redis key.
* **execute_query_for_qradar**
This workflow will execute the query definition and return the redis key.
* **execute_query_for_sentinel**
This workflow will execute the query definition and return the redis key.
* **execute_query_for_splunk**
This workflow will execute the query definition and return the redis key.
* **execute_query_logic_apps**
Logic App action for executing queries using query_alias on CDC
* **execute_use_case_query**
This is a sub-workflow for an alert-created workflow.
* **fetch_blob_configs**
This workflow will rule, use_case abd chart config from azure storage parallely.
* **fetch_query_details**
This workflow will read the rule configuration from Azure Blob storage and fetch query details and perform additional checks.
* **get_cdc_version**
Get CDC version
* **get_file_content_subworkflow**
This workflow is used to get the content of the yaml file attached to a CDC incident, alert, or channel.
* **get_query_details**
This workflow is used for getting details about a query.
* **identify_pack_per_query**
This is a sub-workflow for identifying packs' installed status.
* **post_message_cdc**
Post the message on CDC in the channel/alert/incident/thread.
* **prerequisites_fetch**
Fetched the prerequisites for validation and execution of queries
* **schedule_query**
Runs scheduled query from logic app.
* **upload_to_cdc**
Upload query data to the CDC.
* **upload_to_cdc_2**
Upload query data to cdc and display vega chart under graph section of CDC(for 2.7 above version)
* **validate_alert_trigger_condition**
This workflow will find matching queries with specified trigger conditions.
Rules
* **new_alert_listener**
Triggering an automate_query_execution workflow when an alert is created in the CDC.
Sensors
No sensors
Triggers
No triggers
Policies
| Name | Type | Description | Resource | Policy Action | Threshold |
|---|---|---|---|---|---|
| automate_query_execution_policy | action.concurrency | Limits the concurrent executions for automate_query_execution | query_engine.automate_query_execution | cancel | 20 |
Known Issues
No Issues
Was this article helpful?