Frequently Asked Questions

Security investigations are in our DNA.

Got a question? Get your answer. 

General

Federated search within the Query.AI security investigations platform allows you and your team to see and investigate alerts and potential threats across disparate technologies and cloud, third-party SaaS, and on-prem environments, from a single browser interface. This feature provides your analysts with guided data exploration. It also gives them the ability to ask questions via text, natural language, or Unified Query Language (UQL), so they don’t need to be experts in individual systems—they simply ask questions and get answers.

With the Query.AI security investigations platform, your analysts have the flexibility to investigate across siloed cybersecurity solutions with the simplicity of a single query using commands written using Unified Query Language (UQL) syntax, which is similar in syntax to Splunk Processing Language (SPL). This makes it easy for your security analysts of all skill levels to conduct searches across all your tools, without having to learn the different syntax for each individual tool.

The Query.AI security investigation platform offers an on-demand, API-driven, browser-based architecture that gives you centralized insights from decentralized data across cloud, third-party SaaS, and on-prem environments, including Microsoft Azure, AWS, and Google, among others. As a result, your team can more rapidly, accurately, and cost-effectively complete your cybersecurity investigations, without the hassle or cost of duplicating or transferring data, or ripping and replacing existing technology. Simply point your browser to your data, wherever it lives, and apply the solution’s unified query language (UQL) to simultaneously query your data across multiple platforms.

When you ask an investigation question, like a search on a suspicious IP, here’s what happens next:

  1. The browser sends the question to the Query.AI cloud platform for translation to the relevant platform query languages.
  2. The Query.AI cloud SaaS service translates the query.
  3. The Query.AI cloud SaaS service sends the translated query syntax back to the browser.
  4. The browser initiates multiple connections to the Query.AI proxy, which brokers the connections to the data sources. Then, the Query.AI proxy simultaneously connects to all the relevant platforms using the translated syntax from step 3.
  5. The Query.AI Proxy returns the data to the browser.
  6. The Query.AI solution aggregates the results and formats them in a virtual normalization layer for simple analysis providing you with a federated view across all your disparate platforms.

The Query.AI platform is optimized to provide low latency and a good user experience. Data access across your data sources is done in parallel and will mirror the latency found in the native platforms. The Query.AI platform leverages intelligent pagination to return the first results as soon as they are available, and updates the results as they come in. For example, if three systems initially returned 100 results each of a dataset that had 3,000 results, the Query.AI platform would show the first combined 300 results and then update the results until all 3,000 were present. This allows you to begin your investigation even when working with a mix of platforms with different data volumes and performance characteristics. For follow-on queries or investigations that drill into existing data, operations are often faster than on the source platforms, because operations are performed on cached data and an additional query to the source platform is not required.

The Query.AI platform does not store, process, or require Queiry.AI to access your data. With our lightweight architecture, your browser serves as the data hub that connects your disparate security platforms and environments. You can start an investigation by simply pointing your browser to your data, wherever it lives, without transferring or duplicating that data. The control of the data is maintained by the source data store.

The platform uses APIs for direct access to data in the systems where it lives, and helps SOC teams understand data relationships and initiate response actions. Our continually expanding library of integrations across the most widely used enterprise technologies in cloud, third-party SaaS, and on-prem environments gives your team the reach they need to access and gain insights from data anywhere, in-real time, in support of their security investigations.

Visit our integrations page to see our broad set of supported products.

We have a comprehensive library of integrations across more than 150 of the most widely used enterprise technologies in cloud, third-party SaaS, and on-prem environments, and we’re adding more every day. You can find our current listing of platform integrations here

Don’t see a product you need on our integrations list? Based on your needs, we can prioritize support for additional platforms. Please contact Support at support@query.ai.

Yes, Query.AI is a security company, and we take the security of our products and customers very seriously. All our communications are encrypted. Multi-factor authentication (MFA) is enabled by default, and the Query.AI platform supports a number of configurations to meet the needs of even our most security-conscious customers. This includes an option to use an on prem proxy to broker communications and ensure no data ever passes through the Query.AI cloud.

In addition, the Query.AI platform was built with the concept of privacy-by-design, meaning it is a dataless solution that never accesses, processes, or stores customer data. Instead, the technology facilitates access to customer data through the user’s browser interface. The Query.AI cloud is used to host the application that is loaded into the browser on first connection. In addition, it provides translation services from the user’s question or command to the various platform syntax and API calls needed to execute the action.

The only data Query.AI will ever possess are details about the customer’s users, the platforms which they are connecting to, meta data on the systems (i.e., what type of data is contained within, such as IP, or users, domains, but NOT the data itself), and the questions or commands customers are initiating. Even the questions / commands are obfuscated so that no sensitive information is sent to the Query.AI platform.

Our REST API integrations with target platforms leverage SSL, which encrypts the network traffic. The Query.AI platform authenticates to the target platforms using their supported authentication methods, such as using a system account password, license key, or token. You can also enable and manage a password vault to store passwords, which is only accessed by the Query.AI Proxy running in your environment.

The Query.AI platform is licensed as an annual subscription, with varying terms to meet our customers’ needs. Our tiered pricing is based on the number of platform users.

Yes, absolutely. Through our proof of concept (POC) process, you can get full access to the Query.AI security investigations platform for 30 days so you can see, firsthand, how the solution can drive efficiencies for your security operations team. We’ll prioritize your success criteria and get you on the path to achieve those outcomes. Request a POC.

The Query.AI setup is very simple, especially when compared to traditional security product deployments. Our product is a browser-based web application. By accessing app.query.ai our technology is loaded to your browser. The first step after authentication is the configuration of your data platform, as a prerequisite to deployment we work with customers to identify the platforms they want to integrate and provide the information they will need to collect for initial setup, they generally consist of credentials and api keys for the various systems. From there connectivity is validated and initial queries will confirm proper data normalization across platforms. After that you’re ready to go. This process can be completed in as little as a day but generally takes a week or two to coordinate with various teams and stakeholders.

Our customer success team will meet with all of your stakeholders to map out an engagement plan and define milestones and objectives, your success is our success and we will work hand in hand with your team to ensure you realize the full potential of our revolutionary platform.

If you need additional product information, or have configuration questions, feature requests, or require troubleshooting help, please contact our support team at support@query.ai.

Your Query.AI Customer Success Manager will be engaging with you regularly throughout the term of your agreement. We don’t believe in the last minute drop in requests for a contract renewal, so you can expect that we’ll be actively engaged with you well before the contract termination date to discuss the details of your renewal and any additional needs that you have.

Platform Installation And Management

Using multi-factor authentication (MFA) is a best practice for identity verification. When setting up your account, MFA is enabled by default and will require you to set up the MFA token with your preferred MFA authentication app. If preferred, you can disable the use of MFA for your user logins.

You can enable MFA from your organization’s ‘Settings’ page. The Query.AI platform supports any authenticator app that uses Time-Based One-time Password (TOTP), such as Google Authenticator, Microsoft Authenticator, and Okta Verify.

You’ll use your desktop browser to load and manage the application. Supported browsers include Google Chrome and Mozilla Firefox.

The Query.AI platform has a lightweight, browser-based architecture. There are just three concepts to understand for the implementation:

  1. Browser-based management
    You’ll use your desktop browser to load and manage the application.
  2. Query.AI integrations
    By integrating Query.AI with your other security technologies across your ecosystem, you can access the data you need to more quickly, accurately and cost-effectively conduct security investigations. The Query.AI integration drivers authenticate access to your connected tools and then the platform aggregates and normalizes the data, as it is requested.
  3. Query.AI proxy
    The Query.AI proxy handles requests that do not have direct API availability and acts as a broker between your browser and the Query.AI platform. The proxy is delivered as software that runs on a Docker container. The proxy brokers communications between your browser and the data platform. It does not make any connections to the Query.AI infrastructure.

The Query.AI platform is a browser-based solution, meaning only your local browser connects to your data platforms. The Query.AI platform does not directly access your data.

Query.AI security investigations platform uses Cross-Origin Resource Sharing (CORS) to connect to your data platform’s API server. It’s important to verify that your data platform has CORS enabled to load the Query.AI application with the connection coming from your browser.

The integration drivers are the connections to the data sources in your environment. As an administrator of the Query.AI platform, you have full access to set up as many integration drivers, as needed, for your organization.

  • To access the configuration, click the hamburger menu icon in the upper right corner of
    the application.
  • Select ‘Connections & Administration.’
  • Select the ‘Connection & Administration’ button.
  • Select the + icon to the right of ‘Platform Instances.’
  • Select the driver you want to configure. You can simply type in the ‘Pick Platform’ field to begin your search.
  • Each technology integration has a ‘Help’ section to guide you through the setup process. If you need assistance, please contact our support team at support@query.ai.

Users with privileges for creating and sharing workflows with others in the company can follow these options:

OPTION 1: You can select the desired workflows from your personal library. Click the ‘share’ button and choose to ‘share within your company.’ Users who are employees and have access to your data platform will automatically see the shared workflows. If you are the designated author, you can also share from one of your scheduled directories. For example, if you want your boss or other employees to have particular workflows run automatically upon login, you can select and share those from your ‘Scheduled Upon My Login’ menu.

OPTION 2: If you want to share different workflows with specific users, you can select those workflows, click the ‘export to file’ button, and then email that file to your desired set of users.

Manage Users

Every organization has one or more designated administrators who can add new users within the licensed limits. You only need the user’s name and email address to add a user to your account. To add additional users beyond the scope of your current licenses contact your Customer Success Manager.

To represent organizational roles and create a hierarchy of sub-organizations, use the button in the ‘Connections and Administration’ menu. Add the emails of the relevant users in each sub-organization. (NOTE: It is also okay to add the same user to multiple sub-organizations. The user will have the ability to see and switch between their multiple roles.)

Next, for each role-based sub-organization hierarchy, add the relevant platforms that the specific role needs to access. Additionally, if you want to leverage the RBAC for a target platform, connect the platform via a service account that is reflective of that role’s access. Alternatively, if users have a direct account in a target platform, leave the service account empty and the end user will be prompted for their individual direct account when connecting to that platform.

The Query.AI security investigations platform supports SSO using SAML 2.0 (Security Assertion Markup Language), which has an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider, such as Query.AI.
Our SAML integration supports SHA256 and SHA1 certificates. We recommend using SHA256 certificates to take advantage of its additional security features.

To enable SSO, your Query.AI platform admin can click on the ‘Connections & Administration’ menu. Once inside the organization settings page, your admin can click on ’enable_sso’ and change value to ’true’. The admin should fill in the SSO details from the metadata provided by your identity provider (IdP).

Attributes that the IdP should pass to identify a principal: ‘- email’ (for email of the principal), and ’lic.’ Lic is optional and not a common scenario; use it only if you have a pre-provisioned license key assigned for the user).

Platform-specific integration authorization credentials, such as API access keys / tokens can be manually set by your admin in the Query.AI RBAC group via the attribute named ‘connection’ with its value in the format {“platform_alias”: {“token”:”SAMPLE_TOKEN_VALUE”} }. Note that such access keys / tokens will have to be manually updated by your admin periodically upon expiration, so make sure to set long-term expirations of those keys / tokens in the integrated technology platforms.

Your organization administrator(s) can remove account access to an organization via “Connections and Administration” within the platform. As credential access to connected platforms is managed by Query.AI, users will not be able to access native platforms using the same credentials after being removed from the organization.

The Query.AI platform is licensed by the number of users an organization would like to have access to the product. Your user limit is set based on the number of users you have licensed. If you are a current customer and wish to increase your license limit, please contact your Customer Success Manager.

Troubleshooting

If you are having log-in issues, please contact our support team at support@query.ai.

You can use the playback controls to troubleshoot your workflows. This will let you pause and move forward, step-by-step, to identify where something is going wrong. Please contact our support team at support@query.ai if you need additional help.

You can raise an issue and upload the proxy logs and debug files to our log upload servers by following one of these steps:

  1. Uploading logs when on the COMMAND tab
    • Click on ’Contact Support’ option under IRIS> action menu at the bottom left.
    • Select ’Bug/Feature Request’ and fill in the description box with the information on the issue for which the logs are being uploaded.
    • Make sure the ‘Auto Upload Proxy’ logs checkbox is checked.
    • Attach additional files by clicking on  button and click on ’Submit.’
    • Your proxy logs will get uploaded to the Query.AI debug server, it is suggested that you upload the complete console logs by following the steps mentioned in the below ‘How to attach console logs” section.
  2. Uploading logs from the Help sections under ‘Options’ in the top right corner
    • Click on Help Support > ’Report an Issue.’
    • Provide ‘Bug/ Feature Request Description’ for the issue that you are facing.
    • Attach additional files by clicking on the  button.
    • Make sure that the Auto Upload Proxy logs checkbox is checked and click Submit.

On Firefox

  • Open your browser console by pressing ⌘+⇧+J (‘Ctrl+shift+J’ on WIN) or from the right click selection menu click on Inspect > Console.
  • Right click in the console msg area.
  • Select Export visible msgs to > File.

On Chrome

  • Open browser console by pressing ⌥+⌘+I (‘Ctrl+Alt+I’ on Win) or from the right click selection menu click on Inspect > Console.
  • Right click in the console msg area.
  • Select Save as
  • Save the file to your system and upload it using Upload additional files option.