Product innovation happens at a fast pace at Query. In October, we had announced Query Splunk App 2.4. Today, I am excited to announce the next version – Query Splunk App 2.5 – which is now available on Splunkbase. This new release introduces a very amazing new capability – Federated Detections. Additionally, it also introduces new views for event and entity investigation, along with several other improvements.

What is the Query Splunk App?

The Query Splunk App enables you to add any connected data source into Splunk – without increasing ingestion or compute expenses. Query expands Splunk’s data reach with all the data you need, including from data lakes, warehouses, object storage, or any other connected source with security-relevant and observability data to support your Security Data Operations use cases, and more. The Splunk app deploys Query capabilities into Splunk, so you can search data sources not connected to Splunk, see the results as part of your Splunk console search results, and trigger detections without centralizing data. To learn more about the Query Splunk App, go here.

What’s New in Query Splunk App version 2.5?

Here are the new capabilities in this release:

  • Federated Detections: Trigger alerts in Splunk from remote data sources without moving/centralizing the data.

Figure 1: Federated Detections

  • Events Overview and Entity Summary views that make the analyst productive with an interactive interface and ability to drill-down to the underlying data.

Figure 2: Events Overview

Figure 3: Entity Summary

  • The app now shows searchable entities, events, objects, and configured connectors (with option to add new).
  • We made it easy to filter irrelevant results out by connector via a new parameter called exclude_connectors. For example: | queryai search=”ip=192.168.1.1” exclude_connectors=”vpc_flow_s3, cloudtrail_s3”
  • M2M tokens with client_id and secret have been replaced by API keys.
  • A lot of additional capabilities were added recently in the 2.4 release that you can reference here.

The new Query Splunk App 2.5 release is now available on Splunkbase for Splunk Enterprise, Splunk Cloud Victoria and Splunk Cloud Classic environments. Just click here to get it, and you can view our product documentation here.

Contact us for more details or for help setting it up.