Use Case
Hunting Current & Historical EDR Data Across Security Operations
The Problem
Endpoint Detection and Response (EDR) is a key control for strong security operations, but…
EDR systems create approximately 25GB of data per 1000 employees per day.
Putting all of this data in a SIEM can cost $40-100k per 1000 employees a year.
Attempting to filter or transform the data is time consuming and can result in missing data.
Current and historical EDR data is valuable for many security operations activities, such as event & incident investigation, threat hunting, and incident response. When security data is hard to reach, analysts and security operators are less likely to make use of it when they need it most.
The Solution
With one search bar to simultaneously search current and archived EDR data, Query can deliver answers from EDR data wherever it is already stored. Our federated search for security solution:
Gives you control over where and how EDR data is stored. Save money by archiving data to low-cost cloud storage — reducing cost.
Enriches answers with context from other distributed security relevant data without needing to move or transform data ahead of time — increasing visibility.
Visualizes data linkage and context to quickly orient and act — reducing operator fatigue.
Quickly pivots from one question to the next — reducing time to investigate and respond to minutes instead of hours.
Industry Feedback
“Before Query, our security team only had 14 days of live EDR data. Accessing and searching historical data required provisioning access to AWS S3 buckets and writing complex queries manually. Now the entire team can search all security data from one search box in seconds, without thinking about where the data is stored or how to write queries.”
– Director of Security Operations — Software Company
