Introduction

Query Federated Security provides Security Operations (SecOps) teams and other observability, operations, and security teams with visibility and utility by bringing analytics, detections, search, and query translation to their data. Query Federated Security has over 45 Connectors as of this writing and we are continuously adding more to best serve our customers and stay ahead of the curve.

Security tools change quite often, they’ll deprecate APIs and add new ones. They add better ways to get at the data remotely – sometimes via asynchronous APIs, adding pagination, or supporting better filtering – and sometimes they quietly deprecate or add new fields into existing APIs. All of these issues are things nearly every security and observability SaaS company deals with, but to bring Federated Security to the people, we are laser-focused on ensuring we don’t fall behind changing capabilities and deprecation.

In our world, we are constantly tuning our connectors to deliver maximum customer value. We’ve just pushed updates to the CrowdStrike Falcon API Connector and have completely rewritten and refactored our Broadcom Carbon Black Cloud and JAMF Pro Connectors as well. We have many more on the docket for improvement and are always looking to add new high-value features. 

If you want to take control of your data and execute your duties without moving data, translating data, or surfing across 10 different tabs to triage, manage incidents, create security analytics, author detections, or move bulk normalized data: book a demo and see for yourself. Do you dare look upon the truth?

CrowdStrike Falcon API

Check out our docs here: https://docs.query.ai/docs/crowdstrike-falcon-connector#/

CrowdStrike Falcon API is the Query Federated Security Connector that allows you to query out numerous datapoints from the Falcon APIs without having to move the data out of CrowdStrike. Query Federated Security never duplicates or persists your data, we’re a completely different paradigm, unlike XDRs or Detection-as-Code tools that require you to take the legacy SIEM-centric approach of centralization.

CrowdStrike is one of the most popular Connectors we have, and is very much a “flagship” Connector. Nearly 80% of our customers and prospects are using CrowdStrike as their EDR and an increasing number of them are also expanding their usage of Query to branch out to other SKUs in the CrowdStrike ecosystem, such as Identity Protection and Spotlight (for host-based vulnerability management).

To that end, we have uplifted this Connector to support streaming of results. We implemented pagination on the Falcon API endpoints and have refactored our CrowdStrike Query Language (CQL, sometimes called Falcon Query Language [FQL]) to be even more performant and precise. Now instead of getting only a maximum of 2500 results (or whatever the single page maximum was per API) you can retrieve several 10s of 1000s depending on your use case. We have other work on our backend that will further increase the speed of this operation, yielding batches from the stream in real time instead of waiting for it to finish.

As mentioned, we added support for the Identity Protection and Spotlight SKUs in CrowdStrike. You can now perform analytics, write detections, and execute federated search against the following APIs:

For APIs that are “two-piece,” meaning you need to submit queries with filters to retrieve canonical IDs and then retrieve details by IDs, we have that functionality fully implemented. Additional changes introduced a lot of performance tuning, such as streaming, query translation, and other changes to make it faster and more efficient for your users.

We have also completely overhauled our mappings to OCSF 1.4.0, and some selected OCSF 1.5.0 upgrades, such as using the new Assessments OCSF Object for normalization of Zero Trust Assessments. This is a totally transparent change, and that provides more usable information for investigations, triage, escalations, hunting, and detections. This includes Hosts, Alerts, Detects, and Incidents. 

We have also expanded our Entity support to add new ones such as Resource Name and Serial Number which appear in certain APIs, this allows for more straightforward searching based on data points users may be more familiar with.

Furthermore, we have added Behaviors into Incidents and normalized a lot more data thanks to customer feedback, as certain Incidents created by Falcon will attach deep metadata about impacted devices (stored in the Hosts) array. To wrap all of the changes together, we’ve implemented a novel way to apply filters that the Falcon APIs do not support by fetching some extra data where it makes sense to.

Typically in the CrowdStrike Falcon API, retrieving Incidents and their linked Behaviors (e.g., process snapshots, file names, etc.) presents a challenge because they are implemented across 4 API endpoints and the filters are not fully featured. To enable customers to get the most out of this data we allow you to emulate filters at the expense of some delays to batch all of this data together, meaning you can push down filters from the Incident Finding event class that would normally only be available in Behaviors. Furthermore, you cannot submit FQL queries on the data in Behaviors, such as pulling a specific PID or SHA-256 hash, all that said our filter emulation allows for this and more from the normalized parent Incident.

All these changes together greatly improve security outcomes around utilizing your CrowdStrike Falcon data. This is some of the richest EDR data out there, but it can be burdensome to learn all of the intricacies and the required query language. We take care of all of that for you! Our work is not done, so if you are using other SKUs such as CSPM or Container Vulnerabilities, or otherwise, reach out to us at product@query.ai so we can get to work.

Likewise, you should also consider checking out our CrowdStrike Falcon LogScale Connector which allows you to model any data in any Repository into OCSF and search it alongside our 40+ other Connectors.

Carbon Black Cloud

Check out our docs here: https://docs.query.ai/docs/carbon-black-cloud#/

Broadcom acquired Carbon Black via the VMWare acquisition several years ago. At one point largely considered one of the best EDRs in the industry, Carbon Black has undergone a lot of changes of ownership and changes of capabilities, but it still remains a workhorse. We have several customers and prospects who still make great use of Carbon Black and, as such, we decided to completely rewrite the Connector to bring it up to snuff.

We support the following APIs, check out the docs for how we normalized them:

  • Search Devices
  • Search Alerts
  • Observations (Network and Process)
  • Process Query
  • Host Vulnerabilities (by Device)

Along with the above, we have implemented a Lucene query translation utility in our product that will take your OCSF-based queries and translate them into Lucene, which Carbon Black uses for a lot of their APIs. For APIs without Lucene support, we have also implemented every single native filtering capability and took forward the ability to emulate filters by oversampling data and applying filters post-hoc. Again, emulation comes at a minimal performance cost but allows you to query on data that Carbon Black’s API specifications do not otherwise allow for.

Likewise, we support pagination and streaming for all supported endpoints, allowing you to collate a greater amount of data that is relevant to your use cases. We have also implemented the ability to query against the Observations and Process API endpoints to be able to retrieve low-level process and event info from hosts implicated in alerts or vulnerability data. Using our Entity-based search, using a Resource ID (machine ID) or hostname you can reliably get at, filter, and pivot across all of the data available in Carbon Black EDR depending on your license.

JAMF Pro

Check out our docs here: https://docs.query.ai/docs/jamf-pro#/

JAMF Pro is a comprehensive mobile device management (MDM) solution designed to automate Apple device management across an organization. It enables IT administrators to deploy, manage, and secure Mac computers, iPads, iPhones, and Apple TVs from a centralized console. JAMF Pro provides detailed inventory information on both computers and mobile devices, including hardware specifications, installed software, security status, and compliance with organizational policies.

Recently, the Classic APIs have been completely deprecated in favor of the Pro APIs. This led us to also completely refactor the Connector to make use of Pro APIs and leverage all of the aforementioned improvements, such as adding better query translation, pagination, streaming, as well as filter emulation and brand new OCSF normalizations.

We support the Computer Inventory Records and Mobile Device Inventory Records APIs. We normalize different data points to the relevant OCSF event classes that best match, since not every OCSF event class supports every single data point (Attributes or Objects, for further reading on OCSF see here). Refer to the linked documentation above for more details on how this is normalized.

JAMF Pro is very much an enrichment-focused source, however, you can reliably use the Connector for audit and GRC engineering use cases, e.g. checking for FileVault status of specific assets or generating an inventory of OS versions in your environment. When used in conjunction with EDR like Carbon Black Cloud or CrowdStrike Falcon, and our SIEM or Log Management Connectors such as Splunk or Datadog, you can correlate and collate all of this data together. This should vastly improve triage outcomes, especially using the JAMF Pro data to suss out criticality and if an incident or escalation should be created or executed, respectively.

Conclusion

Staying ahead in modern security operations means continuously evolving alongside the tools and APIs that power them. With our updates to the CrowdStrike Falcon, Carbon Black Cloud, and JAMF Pro Connectors, Query Federated Security brings faster performance, deeper normalization, and smarter search capabilities, letting you work directly on your data without the drag of centralization.

Whether you’re enhancing triage, writing detections, or driving GRC use cases, these Connector improvements help security teams do more, faster. If you’re ready to see the impact for yourself, book a demo and experience the power of modern federated search. Your security data deserves nothing less.

All for now…

Stay Dangerous