Blogs
February 6, 2025 by Jonathan Rau | Leave a Comment
Introduction As of January 31st 2025, the latest version of the Open Cybersecurity Schema Framework (OCSF)–version 1.4.0–has been released! The 1.4.0 release represents a very large increment to the schema, and was nearly six months in the making. The schema expanded greatly in this release to include a brand new category and profile, several new […]
Read more »
January 28, 2025 / February 6, 2025 by Jonathan Rau | Leave a Comment
Introduction Query SecDataOps operators are standing by with another entry in our Open Cybersecurity Schema Framework (OCSF) mapping series. In this blog, we’ll focus on mapping Amazon Application Load Balancer (ALB) access logs to the OCSF format. OCSF is a standardized schema designed to help organizations normalize and correlate data from different sources, making it […]
November 6, 2024 / October 1, 2025 by Jonathan Rau | Leave a Comment
Map stuff real good, by the Query SecDataOps Goons Introduction The Open Cybersecurity Schema Framework (OCSF) is an open-source and collaborative effort across the industry to define a vendor- and platform-agnostic schema for security and IT observability data. It has been contributed to by Query, Amazon Web Services (AWS), Splunk, Cisco, Crowdstrike, and several dozen […]
September 25, 2024 / September 26, 2024 by Jonathan Rau | Leave a Comment
Introduction Amazon Web Services (AWS) Transit Gateway (TGW) is an AWS that acts as a highly scalable cloud network router. Released in November 2018, TGW allows you to connect many different Amazon Virtual Private Clouds (VPCs), AWS Direct Connect (DX) Gateways, and AWS Site-to-Site VPNs together in a centralized hub. This greatly simplifies hybrid and […]
September 18, 2024 / January 23, 2025 by Jonathan Rau | Leave a Comment
Introduction The most effective Security Operations (SecOps) teams are those who harness and operationalize their data. This Security Data Operations (SecDataOps) process is long and fraught with pitfalls and dogmatic debates over data repositories, making it far too easy to become stuck and unsure where to progress. The easiest way to start is with Exploratory […]
June 11, 2024 / June 11, 2024 by Jonathan Rau | Leave a Comment
Today, Query is announcing and making available as an open source tool, Query Open Pipeline (QOP). Query Open Pipeline will initially have support for CrowdStrike Falcon Data Replicator. QOP is an AWS native data mobility solution. It allows CrowdStrike Falcon Data Replicator ETL into the Amazon Security Lake, which provides automatic partitioning, format conversion, and […]
March 11, 2024 / March 12, 2024 by Jonathan Rau
Partitioning your data is one of the most important things you can do to improve the query performance of your data lake in Amazon S3. When building tables in AWS Glue Data Catalog and querying with Amazon Athena, as your data volumes grow, so do your query wait times.In this blog you will learn how […]
February 19, 2024 / May 2, 2024 by Jonathan Rau
Data exhaust is increasing exponentially, and the variety and volume of this data has shown no indication of slowing down. Even the lowly Ubuntu OS or simple containerized workload running in Kubernetes can produce all sorts of user, system, infrastructure, authentication, and networking logs. This data increase necessitates security teams become SecDataOps teams. By using […]
November 14, 2023 / November 6, 2024 by Jonathan Rau
Public cloud and networking make for odd bedfellows. Cloud networking is not just the virtualization of networking. In traditional setups, appliances and network taps are used to monitor traffic, but in cloud environments, this is virtualized, making direct monitoring more complex. At the OSI Layers 1 through 4 you’d be able to directly tap appliances […]
