How to Search All Your Security Tools with One API Call
While working with SOC teams over the past 5 years to help them set up their SIEMs, I’ve watched a company’s desire to do as much as possible via APIs grow quickly. During the first few calls with a new customer, one of the questions I would undoubtedly get is, “Can we do all of this via the API as well?”
As organizations gain more security engineers to help support the analyst team, APIs are becoming more critical than ever. And you can double down on that notion as more security tools than ever before are SaaS based.
Naturally, on my second day on the job at Query.AI, I decided to dig into our APIs. Query.AI is a simple use case with a lot of horsepower behind the scenes. It essentially allows you to search on data from any/all of your security tools, at once, to aggregate and perform enrichments. So, the Query.AI API integrations act as a proxy to ALL of your security APIs.
The most common use case would be doing a federated search to simultaneously investigate across your security tools. This allows you to specify a query, set of security tools to hit, and a time window to search on. Here is an example script that an engineer could use: https://github.com/tdiderich/queryai/blob/main/search/search.py
When you initiate your search, the script above is essentially doing three things…
- Starting the search based on the query, APIs, and time window
- Checking every 5 seconds to see if the search is complete
- Returning the aggregated and normalized results of the search, once available
Behind the scenes, Query.AI is doing this…
- Taking the search and converting it to the proper format for each platform specified ex. Splunk, Elastic, and CrowdStrike
- Reaching out to their APIs to get the results
- Aggregating them and providing those results as the API response
So, with one question, you’re able to search across all of your integrated tools at once, get aggregated results, and rinse and repeat with all of my various use cases. Simple.