Sevco Security Shorts: Queries

These last few weeks as you’ve seen, we’ve been releasing a series of videos from Chief Strategy Officer, Brian Contos, highlighting how Sevco’s 4D Asset Intelligence platform works, and how organizations can use it to better understand their IT environment. We call them Sevco Security Shorts. 

Now, we’re posting this transcripts of this series for those that would prefer to read the content.

Hey, everybody. Today, we’re going to talk about queries and using queries for automated actions and reports. 

So as we can see here, we have 14,781 devices. I want to reduce this view with a very simple query to say, “Give me any source where the attribute of that source is equal to a tag.” And that tag happens to be North America West. I apply that and now we drop from 14,000 plus devices to 31 devices. 

Interestingly enough, none of those devices happen to be running Malwarebytes. Well, let’s do something a little bit more sophisticated. 

So now I’m going to create a grouped query. So I’m going to say, the source is actually “equal to CrowdStrike”. The attribute is “last activity”, “is on or before.” And for the value, I can select the specific date or time, or I’m just going to say, “14 days ago.” And I’m going to nest this with another group.

This is also going to be CrowdStrike. And, in this case, I’m going to say, “CrowdStrike’s agent version simply doesn’t exist.” It’s not there. And very important, I’m going to change this logic from “And” to “Or”. 

I’ll run this query and now we’ve dropped down to 5,376 devices. Well, maybe even further, I just want to look at Windows 10 Enterprise. So I’m going to come into my OS filter, select that, and now here’s 180 devices that I care about because maybe there’s a new vulnerability that’s related to these devices. And I see all my systems where they’re not installed, systems where it’s been 14 days ago since the last communication, 15 days ago, 20 days ago, so on and so forth. So pretty valuable information.

Now, I can further go into these queries and I can create actions. And this is what’s really cool. I can go ahead and have a query result emailed to me, and I can select when I’d like that to be emailed out. Maybe it’s every day, maybe it’s every Sunday, Monday, Tuesday, whatever I’d like to do. I can also have these query results added to a daily report to just show me what the latest status is, and I can tag these. 

So just like we saw the North America West tag, I can put a tag here that says, “Install CrowdStrike agent.” That simple. Now, why is that really cool? 

Well, there’s integration here. So this system has integrations with ServiceNow and SIEM solutions and SOAR solutions. So you can use this for location tagging, operational policy, even workflow.

So, for workflow, by tagging it with this, “Install CrowdStrike agent”, it’s only going to pop up in these devices if it meets this criteria. So if we have 180 devices and one of them has been fixed, it’s going to drop down to 179 devices because now that criteria is no longer there. 

So that’s real workflow monitoring and, again, that can be tied to your different configuration systems. It’s a great way to manage by exception and across the entirety of your devices you know exactly which ones you need to look at now and that can be integrated with your solutions that are being used for ticketing and case management.

Interested in seeing how Sevco can give you this kind of visibility in your own IT environment? Click here to schedule a personalized 1:1 demo with our team.


Share This Post: