 Hello everybody. Thank you for watching this video. I'm going to talk about the Weaviate vector search engine and then specifically from the perspective of threat analysis in cybersecurity. Mostly we're going to focus on, I'm going to tell a little bit about what Weaviate is and then we're going to focus on the demo and I'm also going to give you some pointers how you can start working with Weaviate yourself. So Weaviate is a vector search engine and it's a full cross-support database but the most important thing to bear in mind is that the difference between traditional search engines and vector search engines like Weaviate is that Weaviate focuses on the vector representation of the data that is stored within it and those vector representations are given to it based on machine learning models and the simplest way to show you the difference between a traditional search engine and a vector search engine is the following. So let's look at this data object. So we have your data object representing a, in this case, cybersecurity threat group. So we have your Fin6 and then you see like a group that has focused on a attacking point of sales devices. Well, if we would store this data object in a traditional search engine and we want to retrieve it and then we say, for example, we are looking for something related to finance hardware attacks, then it will not find anything because we know that Fin6 is related to this query but, well, the exact keywords are not matched in this data object. However, when you do this in a vector search engine like Weaviate, it will actually return Fin6 because it knows that there is a relation between finance, hardware and attack based on a group that focuses on attacking point of sales devices and that is the most important added value of these vector search engines like Weaviate and as you will see in the demo, a lot of new use cases come from this. So when it comes to the cybersecurity domain, our main focus or our main question that we want to answer is like, can we go from like a rule based approach to a prediction based approach? So a little bit about the core features. So we've got two core features. The first one is search or as we like to say, search and discovery in your data. So the demo that I'm going to show you is completely focusing on search and how to find things using Weaviate but on the other hand, we also have classification and the easiest way to think of classification is context is that Weaviate can automatically make relations in your data sets. So where search, there are some form of human or machine input to get the insights with classification, you can ask Weaviate to do that automatically. Then we have some other unique features from Weaviate. So first, the modules as I just described, we have a bunch of them. If you have ideas for modules, we're more than happy to hear, you know, how you think we can improve Weaviate's module ecosystem. By the way, you can also create your own modules. Then we support any media type. So Weaviate, not only the vector representations that Weaviate can store, but also the data objects can be of any media type. So within one single Weaviate, you can store text objects and text factors to represent these data objects, but also, for example, images or video. Weaviate itself has a graph like a data model. So what you will see when I show the demo to you, we use GraphQL. GraphQL is used to not only do the machine learning matching, but also to make traditional graph relations, and most importantly, to mix and match them. And then, of course, we focus on Weaviate being scalable and fast, and we're constantly updating and improving Weaviate. So with ever release, Weaviate is a bit more faster and a bit more scalable. So when it comes to the vertical of cybersecurity, we mostly focus on intelligent threat analysis, meaning that we've had focuses on structured data. So that can be descriptions, text documents, or those kind of things that are related to threat analysis. So for this demo, we're using the Mitra attack framework for the simple reason that it contains a lot of graph relations, but also a lot of unstructured data. We use a Weaviate Transformers module, which is fine tuned with cybersecurity data. In this case, we use sentence birth. And that brings me to the demo. So when we are in the Weaviate console, we can interface where we can use GraphQL to query through Weaviate. And the setup how Weaviate works is actually very simple. So Weaviate has three core functions, meaning that's aggregate, that is explore, and that is get. And aggregate is used to, well, get as an aggregate function. So for example, how many objects are stored in Weaviate? Explore is used to search through the complete vector space, but get is used to make a mix of vector searches and graph searches. And that's what we're going to use for the demo. Inside Weaviate, you have a graph like data model. So that means that you can create any class and any property. So in this case, our class and property structure is based on the Mitra attack framework. So let's take a look at the first one. So let's take a look at threat groups. So threat groups have a name. And this very simple query says like, get me threat groups and show them, show me their names. So we're running this query, you see a bunch of threat groups, they're not organized in any way that just randomly shown based on this query. We can also go add property. So we can say, for example, say like, show the description. And there you see, for example, I have copy kittens. You see the description of the threat group. So let's go one step back. Now, what we now can do is that we can enable the machine learning model. And in this Weaviate instance, we have two modules enabled, the effectorization module and the Q&A module. So let's start by looking at the from the perspective of the Q&A module. So what we can do is that we can say, well, we want to ask a question, then of course, we have the question. And the question that we want to ask is, who targeted the government in the Middle East? Make an array that's incorrect, should like do it like this, we can set the properties that we want to search through. And that is something we want to do based on the descriptions. And then we have so called underscore properties, additional, or we can say, well, this is where we want to see the answer to the question. And we want to see the result. So very simple question, a query where we say, based on these threat groups, search through the descriptions and show us who targeted the government in the Middle East. So let's run this query. So here we'll find the answer oral rick. What we now can do with Weaviate is that we can say like, well, for example, also include the name of this, the description of this threat group. And then you see that the name is actually also oral rick. But if you're also going to look at the description, then we see that actually inside the description, there's more information about the oral rick. So let's go one step deeper. So let's say like, what kind of attacks does oral rick use? And we find that in the document about oral rick, the answer is found, which is supply chain attacks. We've now been looking at the graph from the level of the threat group. So let's take a completely different approach and use the supply chain effects in there. So let's start from the perspective of the tech technique. And so if you now also say, I have this simple query, where we say get the tech techniques and show me the names. And if we run this query, we just get a bunch of attack techniques coming from the Mitra attack framework. Now when we hit, we can do question answering, but we can also do a near search. So we can also search for neighboring concepts. So let's say for example, here we have a near text, and we're going to look for concepts. And then for the concepts, let's look at the supply chain attacks. And let's say for this query limited to the first 10 results. So if I now run these queries, then with supply chain attacks, then the most neighboring concepts are of course, well, the supply chain compromise, the supply chain compromise, or the compromise in hardware supply chain, etc. So a port was opened at the host's firewall. So same query, but we're now going to say, well, inside the attack, they somehow opened a port at the host's firewall. We want to be at least 80% certain. And we want to immediately show what the known mitigations are for these solutions. And we want to see names for these types of attacks. So thank you very much for listening. My name is Bob Van Luit. Feel free to reach out to me on bob at semi.technology if you want to learn more about how VV8 can help in your domain or with your the challenges that you have on semi.technology. You can also find our open core software. So you can play around with it. You can try it out. So I'm looking very much forward to hearing from you. And hopefully we can help you taking the next step in intelligent threat analysis. Thank you so much for listening. Bye bye.