Introduction
The Query Builder is designed to simplify data exploration and enhance threat detection capabilities. This feature empowers Security Operations Center (SOC) teams to explore their data through an intuitive interface, enabling structured queries and insightful data aggregation for threat hunting, analysis, rule configuration, and beyond.
What is the Query Builder?
The Query Builder is designed for those who want a simplified approach to querying data without requiring expertise in structured query languages such as SQL. With an easy-to-use form, the Query Builder enables the extraction of critical insights that aid in threat detection, analysis, and customization of dashboards for a comprehensive view of security operations.
Embracing the future with the Query Builder
The Query Builder isn’t just a standalone feature; it serves as the foundation for a variety of upcoming tools and enhancements within the Sekoia SOC Platform. One of the most significant developments will be the creation of custom dashboards, giving users the ability to curate personalized views to monitor their security teams, showcase achievements, and gain a deeper understanding of their operations.
How to leverage the Query Builder?
Several key use cases that benefit SOC teams illustrate the flexibility of Query Builder:
1. Extracting key analytics
For SOC Managers seeking data-driven insights, the Query Builder facilitates the extraction of crucial analytics to aid decision-making processes. For instance, extracting the list of defended hosts in the last 30 days allows for better cost assessment and perimeter control.
“I want to list all hostnames monitored in the last 30 days to assess our detection costs/perimeter.”
2. Threat hunting made effortless
SOC Analysts can leverage the Query Builder to navigate vast amounts of logs and unveil anomalous patterns. It enables the detection of irregular user behaviors within a specified timeframe, making threat investigation more efficient and effective.
“I want to monitor user connection in the last 24 hours and look for unusual behaviors. Then I want to list events for a suspicious username.”
3. Fine-tuning detection rules to reduce false-positives
Crafting efficient detection rules is essential for SOC Analysts. By utilizing the Query Builder to create lists of authorized applications by host, false-positive alerts can be significantly reduced, enhancing the chances of detecting potential threats.
“I want to list applications by host used in the last 7 days. Then I will register a whitelist of applications in the detection rule.”
Getting Started
For those who would like to explore the capabilities of the Query Builder, available in public beta, we invite you to view our interactive demo below or in a new tab, to see how to aggregate events with the Query Builder. Experience the ease of extracting insights and exploring data through our user-friendly interface.
The Query Builder within Sekoia SOC Platform represents a significant leap forward in improving threat detection, data analysis, and the overall effectiveness of SOC teams. Explore your data effortlessly with the Query Builder by checking out our documentation. We welcome and value your feedback, so don’t hesitate to share your thoughts!