Query

When it was a short week but you work in security

Query puts your security data to work. 50+ connectors. Unified data model. No pipelines to build or maintain. Query enables a a platform-agnostic data layer that translates to each source’s native syntax, executes parallel queries, and returns OCSF-normalized results. So you can centralize the insights, not the data. See platform architecture and learn more via the link below.

Query Workers automate security operations across every source in the mesh. Engineered with evidence and transparency you can verify. Workers let you go broader and deeper than you’ve ever had the capacity to go. Each Worker automates a specific job with specialist skills, from access reviews to vulnerability prioritization to threat hunting and more. Want to learn more? See evidence? Link in comments below.

Most "detection coverage gaps" aren't detection problems. They're ingestion problems. If your detection logic only runs against what your SIEM ingests, your coverage map is just a budget map. The S3 bucket you couldn't justify ingesting? Invisible. The SaaS audit logs sitting in object storage? Invisible. The 90-day-old EDR data already tiered to cold? Invisible. Detections inherit the blind spots of your data pipeline. They always have. Query Federated Detections flips that. Detection logic runs directly against the data — wherever it lives. Cloud platforms, SaaS, identity systems, security tools, data lakes, object storage, your SIEM. No ETL. No re-ingestion. No "we'll add it next quarter." → Write the rule once in FSQL (or convert from SPL, KQL, or Sigma) → Schedule it against any connected source → Get a finding with a replay link analysts can pivot from → Coverage expands when you add a source — not when you add ingest capacity Detection architecture stops being downstream of your licensing decisions.

Your AI Security Agents trying to reach the security data they actually need but you slapped them on top of a single repo because centralization

Most threat hunts stop at findings. This one fixed the hunt itself. We gave a Query Worker a single sentence: “Hunt for OAuth app-consent abuse.” From there, the Worker built a testable hypothesis, mapped MITRE ATT&CK techniques, identified the right telemetry across the mesh, and launched 25 federated queries across Entra, JumpCloud, and AWS CloudTrail. Two suspicious patterns surfaced: • A privilege escalation cluster • An unattributed service-principal burst Both were resolved. One traced back to Microsoft’s provisioning agent. The other exposed something more important: missing attribution data in Entra audit events. The Worker kept going. It generated five production-ready detections, tuned against the environment baseline, and built a prioritized gap inventory for the next hunt. Top gaps identified: • Missing actor attribution in Entra audit logs • A JumpCloud connector emitting zero events • Broken authentication event coverage across identity sources 35 minutes. One prompt. 25 federated queries. Five detections ready for soak. And a stronger security data mesh than when the hunt started. That’s what happens when AI can reason across the full security data environment (not just summarize alerts 👀). #ThreatHunting #Cybersecurity #SecOps #IdentitySecurity #DetectionEngineering #AISOC

A Query Worker just ran a cloud threat hunt across five AWS accounts and Azure — from a single prompt. It scoped the investigation to credential abuse and privilege escalation, mapped the relevant cloud connectors across the security data mesh, and started hunting. Twelve queries later: • ReadOnlyAccess and SecurityAudit roles stopping CloudTrail logging • New IAM users being created from read-only roles • Admin policies attached from accounts that should never have had that level of access The numbers told the story fast: • 15 CloudTrail StopLogging events • 10 IAM users created by read-only roles • 25 unauthorized admin policy attachments Not just noise. It’s either a major SSO permission misconfiguration or an active privilege escalation chain. The Worker didn’t stop at initial detection. It automatically generated four detections based on the findings and prioritized seven remediation actions — starting with a full audit of every SSO permission set across all five accounts. One prompt. Twelve queries. Five AWS accounts. Four confirmed findings. Four detections. A complete remediation plan with full attribution behind every result. That’s a Query Worker operating on the Query security data mesh.

CrowdStrike gives you 15 days of telemetry. Most investigations need 6+ months. Compliance requires more. Indexing that history into Splunk would blow your licensing budget. One Query customer solved this by archiving CrowdStrike telemetry to S3 and searching it directly from Splunk — no indexing, no data movement, no new analyst workflows. @Dhiraj Dhiraj Sharan shares how it works and what it unlocks. https://hubs.li/Q04fT9CC0