CrowdStrike Falcon MalQuery FAQ What is the Falcon Search Engine? The The CrowdStrike Falcon Search Engine is the fastest and largest search engine for cybersecurity. CrowdStrike has built the largest searchable threat database in the cybersecurity industry, ingesting more than 100 billion security events a day, and indexing 400 million malicious files that can be searched in real time. Through the use of a unique indexing approach, the Falcon Search Engine enables customers to take advantage of the data to significantly speed up and improve their malware research capabilities in the Security Operations Center (SOC) and for security professionals in general. Why has CrowdStrike launched the Falcon Search Engine? Moving faster than the adversaries and understanding threats in context are key to gaining the tactical advantage needed to defend organizations from today’s sophisticated attacks. The reality for security professionals today is that their research tools are simply too slow. It can take hours or days to understand an attack and take protective action. They have to contend with slow queries, disjointed, incomplete data sets and too many false positives, making it difficult to understand and thwart threats strategically. Search engines have revolutionized the speed at which we do research in all other aspects of our life and the Falcon Search Engine does the same for cybersecurity. How does Falcon MalQuery relate to the Falcon Search Engine? CrowdStrike Falcon MalQuery is the malware search and intelligence component of the Falcon Search Engine. What is Falcon MalQuery? Falcon MalQuery is an advanced, cloud-based malware research tool designed to enable security professionals and threat researchers to search a massive collection of malware samples with speed and efficiency. At the core of Falcon MalQuery is a massive, multi-year collection of malware samples that is uniquely indexed for rapid search. How do I use Falcon MalQuery? Falcon MalQuery is a cloud-based application that is accessed via the Falcon management console. It is offered as a service and as such, a user needs a valid subscription. A demo of how Falcon MalQuery works in operation is available in the CrowdStrike Tech Center. Who would use Falcon MalQuery? The Falcon MalQuery service is focused on speeding up and improving the malware research capabilities in the modern, next-gen SOC. It has been designed to enable and assist a variety of security functions, such as malware research, security forensics, incident response, and cyber threat intelligence. What information does MalQuery output to a user? Falcon MalQuery is a highly efficient search engine that saves security professionals and researchers time by providing instant access to vital information, including: Byte sequences or byte pattern combinations including ASCII and Unicode YARA-based file/sample lookups across the entire history of samples contained within the sample set – including the ability to download selected matched samples Results such as related hashes, malware disposition, file attributes, malware family and adversary attribution with links to appropriate Falcon Intelligence™ reports. How is Falcon MalQuery different from other tools and solutions for researching malware? There are a number of key differentiators: Speed: Falcon MalQuery is the fastest malware search engine in the security industry — over 250 times faster than other search tools. This is made possible by the patent-pending “n-gram” indexing technology. Clarity: Search results come from the largest and most complete collection of malware available in the industry. Falcon MalQuery indexes both a file’s metadata and the actual content within the file to ensure all data is discoverable by the user. Those results are then augmented with threat intelligence so the severity and context of the threat is clear. Importantly, Falcon MalQuery provides a threat repository stretching back years and instantly accessible via the Falcon Search Engine. Protection: Faster and more accurate search results enable security professionals to build better protection rules. These rules empower security professionals to quickly pivot and hunt for new threats, while also enabling the deployment of protection rules to other security solutions that you may have at your disposal, ensuring proactive defense against tomorrow’s threats. Why is Falcon Search the fastest search engine for cybersecurity? The Falcon Search Engine is built on patent-pending indexing technology. This superior indexing ensures access to more raw data, without compromising content, while still delivering real-time search results. Our cloud platform ensures that we have a better index, and that index delivers the fastest possible search results. The Falcon MalQuery index is stored in a highly scalable multi-node, index cluster with a time-frame-based sharding strategy, providing extremely rapid search results based on file content — not just metadata or tags. The unique indexing reduces research times from hours, days or weeks to minutes and milliseconds. What kind of searches does Falcon MalQuery support? The Falcon MalQuery app supports the following search types: Fuzzy searching for sequences of bytes or combinations of byte patterns, including ASCII and Unicode strings Exact searches, which work similar to “fuzzy” searches, but validate all results before returning them to the user YARA hunting allows users to perform file/sample lookups based on fully featured YARA rules. This feature is orders of magnitude faster than other search engines because it leverages the unique CrowdStrike Falcon Search Engine index so queries take a few seconds or minutes with Falcon MalQuery, rather than hours with other search engines. What file types are supported within Falcon MalQuery? Falcon MalQuery is file-type agnostic, and new file types can be added as needed. The file types that are currently indexed include: Composite Document Files (CDF), Compiled Java, Dalvik Dex , Microsoft Word (DOC, DOCX), ELF 32-/64-bit, executables (EXE), EMAIL, HTML documents, Hangul Word Processor File (HWP), Java Archive Data, Windows shortcut (LNK), Mach-0 , PDF, PE32, PE64, Perl script, PowerPoint (PPT, PPTX), Python script, Python byte compiled, Rich Text (RTF), ASCII Text, Microsoft Excel (XLS, XLSX), Shockwave Flash (SWF). Is Falcon MalQuery offered as a standalone service? Yes, even organizations that do not use CrowdStrike’s Falcon Endpoint Protection solution can purchase and use Falcon MalQuery. There is yearly subscription fee and customers can access the service using the Falcon MalQuery app located within the Falcon management console. (For information on how to subscribe, call 1.888.512.8906 or contact firstname.lastname@example.org.) Why is Falcon Search the largest search engine for cybersecurity? The Falcon Search Engine gives customers access to the largest repository of searchable data in the security industry. While bigger repositories may exist elsewhere, much of the data in those repositories are not accessible. The CrowdStrike Falcon Search Engine is unique because it allows users to search over 560TB of malware that has been collected over the last five years in real-time without limiting the scope of the search. Why is Falcon Search Engine the fastest search engine for cybersecurity? The Falcon Search Engine is built on patent-pending indexing technology. This superior index ensures that we can provide access to more raw data, without compromising on content while, still delivering real-time search results. Our cloud platform ensures that we have a better index, and that this index delivers the fastest possible search results. What’s next after Falcon MalQuery? The Falcon platform collects and analyzes all kinds of security information from around the globe — over 51 billion events per day. This means that virtually any kind of threat information can be indexed and made searchable through the Falcon Search Engine. This enables us to expand our search capabilities to any kind of threat indicator as well as into the relationships between security events by searching our CrowdStrike Threat Graph™.