Demo of Polarity Federated Search and Analysis Tool

Joe Rivela:
My name’s Joe. I’m SVP here responsible for customer success, but also heavily involved on the Polarity initiatives that we help to support and fulfill for our customers. Um, if this is the first time seeing a Polarity demo, uh, welcome. If you’ve seen Polarity before, some of this may be refresher, but we’re also going to include a fair bit of some things that are new, a recap of the accomplishments that we’ve had with the platform in 2024, showcase a new capability as it relates to our QR code recognition which was a very heavily requested customer feature, uh, looking back on the past year. And then also, a new server side capability. So even if you’ve seen Polarity before, uh, we hope today is both not just a refresher, but also you get to see some new things. For those of you who haven’t seen the platform, uh, you might be asking yourself, what is it? Right? And, essentially, we created this platform because as practitioners, be it incident response, working for the intelligence community for The United States, working with our partners and customers across the board in past lives, we found this constant problem that knowledge and data are spread across all of these distributed systems within an organization. Distributed systems like SIEMs, SOAR platforms, ticketing solutions, asset management systems, vulnerability tools,and sometimes two, three iterations of those same products within an enterprise or within an organization. And we wanted to develop something that’s gonna fuse them all together into a single unified view. So that’s the platform that you’re gonna see today. To double click on that problem where we’ve got everything kind of distributed throughout an organization, there are some some byproducts of that. One is that it’s very slow to get to the data that we need in order to make high quality decisions. Right? There’s a lot of focus in our industry on on speed, time to decision, but we really wanna make sure that that time to decision is the right decision and a good decision. When we have information distributed all over the place, not only is it very painful to get to, but it also contributes to what we call intelligence failures. Or in other words, failing to act on the information that we have available to us so that we can make that good decision. We also have scenarios where we have knowledge silos. Not people purposefully not sharing with one another, but maybe they don’t know that they’re working on similar problems. And, also, when we work across many tools, we lose a lot of insights that can be gleaned, uh, whereas if you had a constant overlay. And that’s what we set out to solve. So, uh, kind of, again, double clicking on solving the pain points now, We wanted this capability to give you both immediate knowledge and data delivery. What’s the difference to us between knowledge and data? Knowledge is the content that’s finished. It’s been processed, if you will. It’s a concluded ticket. It’s a written report. Uh, it’s a piece of analysis. Whereas data might be consolidated. It may have a story to tell, but you need to know how to ask it the right questions in order to get the answers that you’re looking for. We fuse that all in together into one unified view. And I’ll say that a couple times, uh, because it is core on how we go about doing things versus how other technologies have sought to solve similar problems. With polarity, we anticipate that you’re going to be working in other tools. We’re not the gimme gimme gimme working me platform. We know that in order to do information security work, you’ll go to the platforms that you need to go to in order to do the best job possible. So with that assumption in mind, we built an overlay that goes with you wherever you go, works wherever you work. And what we’re after is a general up leveling of the team, allowing folks who are already, in many cases, uh, overwhelmed with information, too much technology in their stack, uh, and certainly, you know, resource constrained in some cases. We wanna help bring those people up. We are an analyst first platform, helping analysts make better decisions. And we also have our own view on telemetry, which I’ll show a little bit here. Now if you’re coming to this session, you know, you may already have some preconceived notions about what polarity does. Um, so just to set the tone, what the platform’s gonna do and what it looks like, I’m gonna be showing you an overlay window. And in that overlay window, we’re sourcing information from all of these databases and knowledge sets into a single unified view. All I have to do is draw a box around something. You’ll see me do that a lot. And then you’ll see we federate our searches out to our data platforms, like our SIMs, endpoint platforms, vulnerability scanners, and then our knowledge bases as well, finished products, stuff that we know. Right? Our knowledge management tools like SharePoint, Confluence. Right? Maybe it’s an asset management system, things that we keep in ServiceNow, etcetera. So that’s what you’re gonna see. We can show plat the platform in several different ways. One is with the client, which I’ll showcase mostly today. The client is our most, uh, utilitarian. It’s our most useful capability. Uh, it extends to anything that you’re working on. Web browser tools are great. Um, you’ve probably got a lot of them. We can work in a web browser. Uh, the polarity web browser is gonna be ideal for folks with more static, assumable workflows, uh, versus folks who are gonna be doing a lot of tool switching and and hat hat changing as they go throughout their day. And then anything you see today can be accessed via the polarity API. So all the information that we retrieve and bring forward in our federated search style to end users can also be automated and leveraged, uh, with our API so that we can potentially enrich other systems that you may wanna do your investigations in as well. Uh, we’ll focus in on some CTI use cases. We’re gonna be focusing in on the the top of this diagram. If you see here, the production aspect of Thread intel. Uh, and to do this, we’ll show our integrations that we have with ThreatConnect, uh, both the ThreatConnect platform and and IOC submission. And to do this, I’ll bring up polarity first. This is the polarity overlay window. Remember I said we’re gonna use the client. This window works wherever I work. Right now, I’m working on top of PowerPoint that’s in slideshow mode that I’m delivering to you all via, uh, streaming video. We can work on top of PowerPoint in this capacity as well as on top of any browser you might bring up, any homegrown utility that you have running within the platform, command prompt. Right? Anything on your screen, Polarity instantly integrates with when you’re using the client. And we are going to connect to all your must search tools, uh, and we’ll leverage ThreatConnect as an example to start. Now it’s okay if you don’t have ThreatConnect. Uh, we certainly hope that you do. Uh, but if you use another threat intel platform, uh, maybe an open source one, maybe another commercial one, That’s all well and good. We connect to those platforms too. I’m gonna turn on ThreatConnect IOC or, uh, ThreatConnect Base. And I’m gonna also turn on, uh, an integration that we call ThreatConnect IOC submission. You can see here I have my Threat Intel platforms mapped to kind of an orange hue. Now that I’ve got these two integrations turned on, all you need to know if you’re gonna leverage the polarity platform is how to click this button and how to draw a box. The training, uh, gap with polarity platform is super, super low. Right? The barrier to entry is simple. And all I have to do is draw a box. If you’ve used Snagit before, snippet utilities, print screen on a Windows, some other function on a Mac, all you have to do is know how to draw this box. Once I draw this box, polarity extracts the meaningful entities that are on my screen, and I automatically search those against my interconnected platforms. Right now I only have two things turned on, but polarity has over 200, uh, I believe 210, uh, different published integrations that our customers can turn on. So in this case, I just frictionly frictionlessly accessed several datasets, uh, being my ThreatConnect library. All I have to do is click on one of these, uh, cards, and I can see what information we have within our ThreatConnect platform. So think about the analysts who are, uh, contributing towards ThreatConnect. We wanna know if the data is already being managed by the Threat Intel platform. We can get a very good sense of that right out of the gate. We can actually also, uh, influence the scoring. So if I’ve learned that maybe something is more or less suspicious malicious, I can go ahead and I can dive in and I can update the, uh, confidence levels. I can update the risk levels within the platform, uh, so that I’ve got the latest and greatest that I’m managing and making available for the rest of my team within the enterprise. Now that’s all well and good if I have the data already within ThreatConnect, But what if I don’t? What if I wanna see if I have other entities that I’m not managing? And that’s what this IOC submission integration is grateful. So two separate integrations. One checks each entity and lets me manage it. The other one checks in bulk and would allow me to submit in bulk. Here, you can see I’m actually already managing all of these indicators within ThreatConnect. But what if I wasn’t? What if I had something that I was researching that didn’t match something in ThreatConnect? What would that experience look like? So you can see here I modified one string. I can see now all of the entities that are being actively managed within ThreatConnect, and I can also see the one that isn’t. If I wanna add this to the platform, I simply click on this plus button or the add all if it’s multiple entities. And it can be tens, it can be hundreds of entities warehouse within this view. Then I can go ahead and add the metadata associated with it, and I can push this data right into ThreatConnect. So, again, not just ThreatConnect. If you have a MISC instance or Open CTI or if you have a a different, uh, commercial leader out there, uh, within the threat intelligence area, the threat, uh, intel platform area, we’re gonna be able to connect to that too. Some of our customers have multiple instances of multiple tools. And if you have multiple instances or a scenario like this, you can absolutely connect multiple threat products to the Polarity platform. I’m gonna turn on a few more integrations. In this case, we’re looking at a vulnerability release. And oftentimes, if you’re looking at a vulnerability release, you wanna know a few things. You wanna know how bad is it, uh, does it affect me, what do I need to do to fix it, Uh, who can I communicate with, uh, in order to have this issue resolved? Right? And how can I help them resolve it? So here, we’re gonna turn on a few more integrations. Remember, it’s as simple as clicking on this subscriptions icon, and we can go here and filter down on a few more integrations. One that’s free, uh, is the SysiKev. So this is the known exploited vulnerabilities inventory that’s produced by DHS. I’m gonna turn that one on. If I get a hit from this integration, it means DHS has observed it actively being exploited in the wild. I’m also gonna turn on CVE search. This is more or less a MITRE database. It’s gonna give me descriptions on any vulnerability that I search regardless of whether or not it’s being exploited out there in the in the Internet. Uh, I’m gonna also gonna turn on security blogs, which is gonna be a quick reference for me against a lot of the more popular blogs that are out there for information security. And I’m also gonna turn on Polarity’s AI assistant. Um, this is a bring your own LLM integration. So you’re not sending the data to polarity. We’re not training on it. We’re not learning on it. Uh, you would point this at an LLM of your choosing. And now that I’ve turned on these integrations, I have the ability, same thing. Just click on that focus button, and I can draw a box around these vulnerabilities. And what you’ll see now is I’m going to reference all of these new data sources that we just turned on. That easy. Right? Turn on the integrations. All those are free, by the way. I like to point out that all those are free. Uh, and you’ll now be checking them all on the fly. So here, I can see this CVE twenty twenty four three eight one nine three, uh, is actively being exploited in the wild. It’s got ton of blog posts. I can see the results from CVE search. And if I wanted to drill in here, all I have to do is click on it, and I can then see the results. So here’s how DHS has observed it. Here are some specifics. Here’s the more MITRE related information, and here are the different security blogs that might reference this particular bone. Uh, this one, uh, 08/13/2024, and I could pivot out to get the complete article. Now if I decided that this was something that we wanted to share more on within the organization, maybe I wanna write it up so that we can, uh, communicate it out to stakeholders for remediation, maybe I want an exception, I can use the polarity assistant capability, which is, again, our our, uh, AI, uh, capability that leverages, uh, prompting, uh, in the production of content that’s gonna be used for those types of scenarios that I just outlined. All I have to do is hit the summarization button, and the summary will start to build directly within the UI. It’s pretty quick. Uh, I can use this as a guide. I wouldn’t suggest ever just copying and pasting anything that was produced in this format and and leveraging it in your day to day work. Uh, but you can leverage it as a guide to get past some writer’s block or get off to a good start to start to communicate the specifics of this particular vulnerability out to stakeholders within the organization. This works for other entities as well, not just CVEs. So if you wanted to summarize an IP or if you wanted summarize a domain, a hash, etcetera, you can use the same summarization capability that you’re seeing here for other indicators, um, that you might search within the Plarity platform. There’s very, very easy way, uh, to produce some content that could be used for internal distribution, uh, or updating reports, etcetera. I do wanna take a moment and focus on the lower part of the thread intel cycle here. Um, that’s gonna be the consumption. So we can help producers in terms of tapping into existing threat intel, uh, helping to manage and curate the data that’s within the platform, and also, uh, you know, summarization for report writing capabilities out to our different customers within the organizations where we work. But a lot of folks are gonna leverage polarity on the consumption side of things, and and let’s talk about where they might use it. Um, you know, in the day to day, uh, in the life of foreign information security analyst, maybe it’s security operations, maybe it’s incident response, We’re gonna be working in a lot of different tools. Right? That could be our SIM platforms. It could be our workflow platforms. It could be our SOAR platforms, uh, ticketing. It could be, uh, our malware sandboxes, uh, you name it, email. It could be text files, Excel. We’ll use whatever we need to, uh, to focus in on the on the problem, the crux of the problem, get the answers we need in order to defend the institutions that we work for. Um, so lots of tools. And that’s one of the places where polarity is gonna shine. As you go and you work on top of these different tools, we bring all the data with you. So let’s take a look at this example. If we were actually working within a SIM platform, um, this is network traffic, but it could just as easily be, uh, a full fledged event or a full fledged incident depending on how you classify the different, uh, items within your organization. And we’ve already got several integrations turned on. Right? We already have our threat intel platform turned on. Uh, we already turned on several free sources related to vulnerability. Now I can, uh, leverage the polarity capability and searches right out of the gate, but I do wanna turn on a few more integrations for everybody. So here, back to subscriptions, and you can see how this builds. Right? We’ve turned down about five or six integrations already, and we’re gonna turn on a few more. Uh, AbuseEye PDV, which is accessible with a free key. There’s a a free option with that one. Uh, I’m gonna turn on MaxMind, which is great for geolocation information. I’m gonna turn on Shodan InternetDB. Uh, this is great for discovering ports and services and virus total. Now I say discovering, but I wanna make sure that we’re being very, very clear here. Uh, these polarity integrations as they’re configured, don’t engage actively with anything that you’re investigating. They simply leverage these datasets in a passive manner so that you’re not creating an operational security issue tipping your hat or tipping your hand, uh, to the bad guy, letting them know that you’re investigating them. This is all entirely passive. No artifacts that they’re just gonna have immediate access to to learn or or to expect that you’re investigating them. Again, same as before, gonna hit that polarity focus button. Now I can get pretty granular, and I can hone in on just maybe two pieces of network traffic here, uh, maybe the initial request and response. And I can see now as it builds, uh, yeah, I got my polarity AI assistant. I could use that for summarization. But I also with Shodan, I get the ports and services that are associated with the host. I get virus total information back telling me I have zero detections across 94 different engines. It’s telling me that this is hosted in The United States, likely CloudFlare, and it’s got a low abuse score, 0%. So, uh, peers in our community have not contributed to this dataset indicating that this, uh, IP is abusive in any way, shape, or form, which is what that dataset is aimed towards. I could just as easily hone in on all the content in here. Just click that button, draw that box, and you’ll see now the Polarity platform’s gonna federate that search out to all the other tools, right, and bring all the information right back into the UI. And several start to stand out. I can actually see with this one particular IP, uh, there’s several blog posts on it. I have information in ThreatConnect platform letting me know about the availability of additional details. And I also have information from VirusTotal, and I can see the flags that are carried associated with it, malicious, phishing, malware. Um, this is one that I may wanna drill into. So I can go right into that card. I can pivot right into the datasets that are meaningful for me. In this case, I can see what ThreatConnect has on it. I can see what VirusTotal is reporting on it. I can even check the detection engines that are actually flagging this particular, uh, IP as malicious. So I can really drive in quickly, and then I can just pivot back and get back to what I was working on without having to go cross reference against all these other tools. I don’t have to open tabs for a bunch of security blogs, VirusTotal, Shodan. Right? I can consume all this information on the fly no matter what tool I’m working in. Let’s take another example. So in this case, we’ll be looking at an endpoint alert, uh, very similar here to what you might see in CrowdStrike. And I can turn on a few more integrations. I’m gonna go more so with some commercial examples this time. A lot of our customers leverage ServiceNow, uh, definitely a leader in the space, but a lot of our customers have multiple ticketing systems. So I’m gonna go ahead and I’m also gonna turn on Jira. I’ll turn on Splunk as an example of a leading SIEM, uh, but we integrate with Elastic and Sumo and, uh, various other large SIEM platforms. Uh, most recently, the the CrowdStrike logarithm I’m sorry. The the CrowdStrike, um, Qumio platform, which was then renamed LogScale, uh, which we have the integration with that we released not that long ago. And I’ll turn on Polarity Source Analytics here, which is an elastic back end. And I’ll show you what that one does a little bit. And after I turn these integrations on, I can close the window and get back to my search screen. I’m also just gonna right click and do a reload within the platform. I’m only doing this for presentation purposes. You don’t need to do that. Uh, I just like to clear the slate every now and then and show our customers that we can easily clear that slate. Uh, now again, I have this endpoint event, and I’m gonna isolate in on a few things. Uh, I’ve got a few, uh, executables that may be, uh, fired. I have a host name here. Uh, and you can see how I can just go in and pull that information very, very quickly. But this particular hash, I can check it against Splunk. I can see two indexes where I have data on this thing. I didn’t need to know Splunk to do that. I didn’t need to know SPL. I didn’t need to know what indexes to check. I can just do a broad swath across my Splunk instance without having any SPL training whatsoever to understand if I have references to this within my Splunk instance. Virus total, which we’ve seen before. I also have six tickets open on this particular item within Jira. I can click into that, and I can see what those tickets are, who owns them, what are the details, when were they created, what’s their status. I can also leverage polarity source analytics to see who else is working on this. Remember, one of the pain points that we talked about is sometimes we don’t know when our colleagues are working on certain things. If you’re searching and investigating and triaging with polarity, you actually will get that visibility to know when your colleagues are working on similar problems. Uh, very good here where I can see who on my team is working with this dataset as well as what technologies within my stack are actually giving me engagement in some way, shape, or form with this strength. So just with this one example, I’m able to cross reference a whole bunch of datasets, both commercial, open source at this point, uh, and I’m able to get kind of that cross team visibility where my colleagues might be working. Again, the polarity source, uh, um, the polarity assistant will work on, uh, virtually any string that we define, uh, to be supported by the capability. Here, if I wanted to summarize this hash, we can go ahead and do that as well. I believe this is the last incident example. Um, we’ve already turned on various instances of ThreatConnect, uh, both the the Threat Intel platform DirectQuery capability, uh, and also the IOC lookup capability. But there is a new integration that we released not that long ago, uh, about a month and a half ago. Uh, it is called ThreatConnect CAL. The reason why I wanna point this out is because ThreatConnect CAL, and CAL stands for cumulative analytics layer, uh, is a capability that is now available to Polarity customers at no cost. It’s commercial data. It’s not available to anyone. You can’t just go out there and sign up for free. But if you’re already a Polarity customer, this is now bundled in with the Polarity product. So we turn that one on and I’ll explain how that one works in just a moment. Uh, I’m also gonna turn on the circle hash lookup and I’m going to turn on EchoTrail. EchoTrail is is probably one of my favorite, uh, commercial integrations. You can get a commercial subscription, but they also have a, uh, a very good free key that you can go and obtain. That’s what I’m using here, uh, today. So now that I’ve turned on these three integrations, I’m gonna perform a search. And and at this point, everyone should know who’s watching this presentation that all I need to do is click on that focus button, and I can extract information. And I’m gonna do some research against, you know, maybe one of these hashes. All I had to do was draw the box. Circle hash lookup, which is a free data source, uh, will tell me that this particular hash is associated with malicious behavior. Very simple integration. Uh, echo trail will tell me that it has not been observed, and this makes sense if you know what this dataset does. This dataset helps me understand what integrations, uh, or rather what binaries and executables are running on a host by default. Right? When it gets built, when it gets released, and and put out there for the masses to use, uh, these systems are indexed, and we know whether or not they’re supposed to be on the system. So if it’s not available within this integration, it actually means it’s not there by default, which is pretty good for me to know. Uh, add in ThreatConnect CAL, where I can actually see this particular hash ranked fairly high on our zero to 1,000 scale. This is letting me know that this is approaching that that more critical end of things, that more significant,more malicious end of things. And I could see attribution wise where this information was sourced from, what file information or what malware family this is associated with, and other variants to help support my investigation across the board within other tools. I can also see, uh, relationships with other ThreatConnect customers as to whether or not this has been investigated before in the past or whether or not it’s been reported as a false positive. So this insight is not just, uh, binary in terms of good or bad. Right? Obviously, it’s on a scale. Um, the higher end of the scale is going to certainly be more likely malicious. The lower end of the scale is certainly going to be more likely benign. And anything in the middle, I always recommend to customers, you treat the unknown accordingly. Right? We shouldn’t just assume that things are are benign because they’re in the middle. Right? They require diligence, um, as does everything. But in this case, you can also see the investigative history from peers within the community, which I think is, uh, invaluable. So with that, we’ve just taken one hash, checked it against all these different tools. Again, it all builds. Um, but if we wanna get more specific, less granular, and just, you know, interrogate all of the contents associated with this ticket, which is represented to look like a ServiceNow event, uh, we can go ahead and do that. Look into this very, very quickly. Multi ticket, multi SIM, multi open source, multi commercial, and pull all that information in. We’re saving analysts time. Yes. Saving analyst heartburn. Yes. But we’re also helping to contribute to that higher quality decision because we’re able to multisource and reference all of these tools so fast and deliver it to analysts so they can simply use the data at the time of decision. Right? It’s a very important component of what we do. Uh, wanna focus in just on 2024. A little recap here. So popular integrations of 2024. We’ve already covered a couple of these. ThreatConnect obviously is, uh, one that we’re we’re proud of. LOBAS is a great integration for understanding living off the land binaries, uh, and how bad guys use these files. We already covered this particular integration, and there is that great free option. Definitely recommend folks go out there and sign up for that. Even if you don’t use polarity, I think it’s a great tool. It promotes understanding of binaries and executables, um, which is also, uh, invaluable. Um, NVD, the National Vulnerability Database, this is out there for our customers to use. Big push in 2024 for Defender and Sentinel. This one’s been updated a lot, and we covered the circle hash lookup. We’ve also enhanced our Gemini integrations. This is Google’s AI capability, and we’ll soon be able to point the polarity assistant at Gemini.CrowdStrike has been updated a lot. We’ve actually got a really fun, useful feature coming out for CrowdStrike where you’ll be able to engage with RTR scripts and custom scripts that have been defined for the platform. So if you wanna lock it down, if you wanna enable logging on a host, if you wanna pull ports and services as a pretty refined script, you’ll be able to do that directly from the player to UI now. Uh, XOR has been updated a bunch since Blanc, the very popular technologies across, you know, commercial environments. So we tend to see them a lot. We get a lot of requests for updates. Cisco umbrella was recently updated as well. So proxies, and we’ve got a couple more proxies in the in the development pipeline, and Vertex was updated a lot as well. The most recent update to that particular integration was to support, uh, API based authentication, which is you know, it’s important for a lot of our customers. Um, and other integrations I mentioned, LogScale, VMRay and Intezzer are together because they’re both,sandboxes. We do have a couple more sandboxes on the integration inventory slated for early twenty twenty five that we’re excited about. Uh, forward network snap attack, data miner for sentiment analysis, uh, very popular with some of our government customers. I mentioned Loebaz already. The anti phishing work groups, eCrimex, and, uh, Cyware and Vertex, uh, were both built in 2024 as well. Uh, Feedly, uh, and, uh, some of the XOR features were actually contributed to directly by our community. So we we appreciate the community for building polarity integrations and sharing them back with us so that we can share with the the community at large. Uh, one other big release is, uh, just officially hit customer environments last week, maybe two weeks ago, uh, is our QR code analysis capability. So now with the focus mode feature, if you have a QR code resident in a possible phishing email or, you know, leveraging some sort of other campaign, maybe it’s a, like, a a, um, drive by download scenario where bad guys trying to get people to a browser based link and then they show the QR code, um, you’ll be able to research this simply by drawing a box around it and allowing for the release. And then we’ll extract any URLs or domains associated with the QR, and we’ll research them just like we would those entities on any other regular basis. Um, but, certainly, the the, uh, prominence and and availability of these within phishing campaigns now is is increasing, at least according to our customers. And this was a heavily requested feature, so we’re very happy to be, uh, making that available for all Polarity customers. We also allow for defining custom types within the UI now. So, uh, if you are a Polarity user, historically, you’ll know that you had to log in to the actual back end of the server in order to define a custom type. Uh, obviously, we always wanna make the administrative components of leveraging the platform easier. So what we did was we introduced the ability to define these custom types within the UI so there’s less back end administrative work. Less tickets, less cross train, uh, team dependencies, less opportunity for mistake, um, at the command line. You can now add these custom types directly within the UI. Two core use cases here, uh, for good percentage of our customers are going to be, um, unique strings for host names. So whatever your pattern is, uh, you know, prod one two three four, east west database, file server, etcetera, um, or, uh, usernames. So a one two three four five or first initial last name or some other, you know, proprietary code for your organization. Um, that’ll make it that much easier to define those custom types and search your tools, uh, for those custom strengths. So in recap, you know, Polarity’s federated search and correlation capability that’s built for analysts. We augment any workflow over 200 integrations. Hopefully, we save you, you know, the time associated with context switching. Yes. But also help to produce that higher quality decision on a higher frequency. Um, we do have some AI capabilities, but it’s bring your own LLM. So as long as you’ve got a process for that, then we should slide right into it. Um, and, you know, we are we’re really just here to help create a more cohesive, security mesh architecture. Allow all your tools to talk to one another no matter where you work. Bring your data, democratize your data directly to you and the analysts that you have, all within RBAC, I should add. Um, we don’t ever wanna create a situation where people have data they’re not supposed to. So everything that you saw today is our backable. You can lock people into groups, and they can only see the integrations that they’re supposed to see. Uh, but, certainly, within our space, um, there’s a lot of scenarios where the different type of information can be applied in lots of different ways. And we want that information to land in front of the right analyst, at the right time, and and we obviously want it to be the right data.