Earlier this year, we shared our product vision for Query Federated Search—one focused on giving security teams not just access to all their security-relevant data, but the power to make better decisions, faster. A key part of that vision is Decision Enablement: helping analysts find the right data, dig deeper into evidence, and drive investigations forward quickly.

Over the past several weeks, we’ve released a series of enhancements that bring this pillar to life. In this release cycle, we focused on what happens after the query—how users interact with results, filter down to what matters, and pivot across related entities and events. With new advanced filtering, column management, and expanded pivoting capabilities, Query now delivers even stronger support for making fast, informed security decisions.

Why This Matters

Security investigations are inherently iterative—rarely a single query, but a chain of questions spanning multiple data sources and tools. Analysts must pivot across logs, alerts, and forensic data to correlate events, assess impact, and determine the best course of action to contain threats and prevent recurrence.

This release improves the post-query experience, giving analysts more control over how results are filtered, structured, and explored. By reducing the friction in these workflows, Query helps teams accelerate investigations and make faster, more informed security decisions.

Feature Highlights

Here’s a closer look at what we’ve delivered to support faster, more effective decision-making in Query Federated Search:

🔍 Advanced Filtering

Refine results with precision. Analysts can now apply multi-criteria filters directly within the results grid, narrowing in on the data that matters most—faster and without rerunning queries.

📊 Column Management

Customize the results grid to match your investigative workflow. Analysts can choose which columns to display and reorder them, making it easier to scan and interpret results at a glance, remove details that aren’t pertinent, while highlighting important evidence and/or pivot points.

🔗 Expanded Pivoting

Investigations often hinge on the ability to follow a trail of related data. With expanded pivoting capabilities, users can now jump across entities and attributes more intuitively to surface relationships, context, and next steps with fewer clicks.

For instance, jump from an alert to the upstream CMDB or CAASM record or jump from a failed authentication alert into an ERP system.

🧠 Summary Insights Enhancements

Summary Insights offers a high-level view of activity across all connected systems, organized by event class within the Query Data Model (based on OCSF). We’ve made this starting point for investigations even more efficient by providing responders with immediate visibility into findings across detections, incidents, vulnerabilities, compliance, and data security.

Just like with our main Results Grid, Analysts can take full advantage of our improved filtering, sorting, and column management. Triage and CERT personnel can quickly work down findings by severity and category, making it easier to prioritize and investigate emerging issues.

You can execute this level of filtering, pivoting, and sorting for all other OCSF Categories–be it network activity or identity & access management events.

📂 Unnormalized Data in Results Detail View

While most event data is mapped to the Query Data Model for consistency, not all source systems align cleanly. That’s why we’ve added a dedicated section for Unnormalized Data, presented in key-value format exactly as returned from the source. This ensures full transparency and gives analysts access to all available data, with the ability to pivot and act on these fields just like normalized ones.

Real-World Impact

These enhancements are already making a difference in day-to-day security workflows:

  • Investigators can isolate relevant signals faster, even in large, noisy data sets.
  • Analysts spend less time manually restructuring or re-querying data, accelerating time to insight.
  • Threat hunting workflows become more iterative and exploratory, enabling faster hypothesis testing and quicker access to supporting evidence.

See It in Action

These enhancements are live now—designed to help you search smarter and decide faster.

If you’d like a deeper walk-through, schedule a demo, or connect with your Customer Success Manager to explore what’s new.

Part of a Bigger Vision

This release is part of our ongoing commitment to Decision Enablement—a core pillar of our product vision. We’ll continue delivering capabilities that help make the use of data your most powerful weapon in protecting and defending your organization from threats.