The CrowdStrike Falcon® search engine is a fast and massive search engine for cybersecurity. CrowdStrike® has built the largest searchable threat database in the cybersecurity industry, ingesting more than 100 billion security events a day and indexing 400 million malicious files that can be searched in real time. Through the use of a unique indexing approach, the Falcon search engine enables customers to take advantage of the data to significantly accelerate and improve their malware research capabilities in the security operations center (SOC) and for security professionals in general.
Moving faster than the adversaries and understanding threats in context are key to gaining the tactical advantage needed to defend organizations from today’s sophisticated attacks. The reality for security professionals today is that their research tools are simply too slow. It can take hours or days to understand an attack and take protective action. They have to contend with slow queries, disjointed, incomplete data sets and too many false positives, making it difficult to understand and thwart threats strategically. Search engines have revolutionized the speed at which research is conducted in all other aspects of modern life and the Falcon search engine does the same for cybersecurity.
The Falcon search engine is built on patent-pending, indexing technology. This superior indexing ensures access to more raw data, without compromising content, while still delivering real-time search results. The index is stored in a highly scalable, multi-node, index cluster with a time-frame-based sharding strategy, providing extremely rapid search results based on file content — not just metadata or tags. The unique indexing reduces research times from hours, days or weeks to minutes and milliseconds.
CrowdStrike Falcon MalQuery is the malware search and intelligence component of the Falcon search engine. It has been designed to enable malware researchers, security forensics, incident response, and cyber threat intelligence teams to find historical and related malware samples for further investigation.
Falcon MalQuery is an advanced, cloud-based malware research tool designed to enable security professionals and threat researchers to search a massive collection of malware samples with speed and efficiency. At the core of Falcon MalQuery is a massive, multi-year collection of malware samples that is uniquely indexed for rapid search.
Falcon MalQuery is a cloud-based application that is accessed via the Falcon management console. It is offered as a service and as such, a user needs a valid subscription. A demo of how Falcon MalQuery works in operation is available in the CrowdStrike Tech Center.
The Falcon MalQuery service is focused on speeding up and improving the malware research capabilities in the modern, next-gen SOC. It has been designed to enable and assist a variety of security functions, such as malware research, security forensics, incident response, and cyber threat intelligence.
Falcon MalQuery is a highly efficient search engine that saves security professionals and researchers time by providing instant access to vital information, including:
- Byte sequences or byte pattern combinations including ASCII and Unicode
- YARA-based file/sample lookups across the entire history of samples contained within the sample set — including the ability to download selected matched samples
- Results such as related hashes, malware disposition, file attributes, malware family and adversary attribution with links to appropriate Falcon X Premium™ intelligence reports.
There are a number of key differentiators:
- Speed: Falcon MalQuery is the fastest malware search engine in the security industry — over 250 times faster than other search tools. This is made possible by the patent-pending “n-gram” indexing technology.
- Clarity: Search results come from the largest and most complete collection of malware available in the industry. Falcon MalQuery indexes both a file’s metadata and the actual content within the file to ensure all data is discoverable by the user. Those results are then augmented with threat intelligence so the severity and context of the threat is clear.
- Protection: Faster and more accurate search results enable security professionals to build better protection rules. These rules empower security professionals to quickly pivot and hunt for new threats, while also enabling the deployment of protection rules to other security solutions that you may have at your disposal, ensuring proactive defense against tomorrow’s threats.
Falcon MalQuery supports the following search types:
- Fuzzy searching: This is supported for sequences of bytes or combinations of byte patterns, including ASCII and Unicode strings.
- Exact searches: These are similar to “fuzzy” searches, but validate all results before returning them to the user.
- YARA hunting: This allows users to perform file/sample lookups based on fully featured YARA rules. This feature is orders of magnitude faster than other search engines because it leverages the unique CrowdStrike Falcon search engine index so queries take a few seconds or minutes with Falcon MalQuery, rather than hours with other search engines.
Falcon MalQuery is file-type agnostic and new file types can be added as needed. The file types that are currently indexed include: Composite Document Files (CDF), Compiled Java, Dalvik Dex , Microsoft Word (DOC, DOCX), ELF 32-/64-bit, executables (EXE), EMAIL, HTML documents, Hangul Word Processor File (HWP), Java Archive Data, Windows shortcut (LNK), Mach-0 , PDF, PE32, PE64, Perl script, PowerPoint (PPT, PPTX), Python script, Python byte compiled, Rich Text (RTF), ASCII Text, Microsoft Excel (XLS, XLSX), Shockwave Flash (SWF).
Yes, you do not need to use the CrowdStrike Falcon endpoint protection solution to use Falcon MalQuery. There is a yearly subscription fee and customers can access the service using the Falcon MalQuery app located within the Falcon management console. For information on how to subscribe, call 1.888.512.8906 or contact email@example.com
Falcon MalQuery is licensed on a subscription basis, based upon the number of malware searches performed per month. For more information, please contact us.