Introduction
Regarding your security program: speed, precision, and context aren’t just luxuries, they’re table stakes. As the volume of security-relevant data explodes across cloud platforms, SaaS tools, and hybrid infrastructure, traditional approaches to detection engineering capabilities are negatively impacted. If your current detection strategy still relies solely on your SIEM’s native capabilities or is tied to a handful of supported platforms in your detection-as-code (DaC) solution, you’re likely leaving critical data out of your detection engineering team’s aperture.
[Federated Search enters stage left]. It’s not a feature. It’s a paradigm shift, and when paired with a purpose-built platform like Query Federated Search, it becomes the cornerstone of a high-performing, cost-effective detection engineering program.
In this blog you will learn about the basics of federated search, how using federated search as the bedrock for your detection engineering program can help drive efficiencies, what real world use cases we’ve helped our customers with, and how the Query Federated Search platform and the Splunk App for Query Federated Search App can help you get started quickly.
Why Federated Search?
Federated search allows you to search across siloed, decentralized security data in place, without ingesting it all into a central SIEM. It removes the bottleneck of data duplication, reduces costs associated with Security Data Management (SDM) pipelines, ingestion, and storage, and eliminates latency that can cripple effective investigations and detections.
For security operations leaders, this means:
- Immediate time-to-value: No more waiting for data pipelines or ingestion rules to catch up.
- Full-fidelity insights: Interrogate native telemetry across EDR, cloud, SaaS, and legacy tools, no downsampling required. Get the exact data you want exactly when you need it.
- Cost containment: Stop paying to move and store what you can already search remotely.
Additional benefits of federated search, specifically with Query Federated Search, include the ability to reduce reliance on an SDM solution due to the fact that all data is normalized and standardized into a common data model such as the Open Cybersecurity Schema Framework. Having a normalized data model greatly reduces the ambiguity and confusion associated with disparate data sources.
For instance, how often do detections need to be modified to support a variety of platforms for banal reasons such as device IP address being associated with a different key-value pair? Instead of getting stuck in an operational deadlock because Broadcom Carbon Black Enterprise EDR calls it last_internal_ip_address and CrowdStrike Falcon calls it local_ip, when you write a detection or search against device.ip you’ll always get back the data you expect every time.
If this is your first time reading about the OCSF, or if you are coming back to it after an absence, consider reading our beginner and executive-friendly blog: Query Absolute Beginner’s Guide to OCSF. For a more detailed explanation of OCSF, see our Definitive Guide to Open Cybersecurity Schema Framework (OCSF) Mapping blog.
Detection Engineering + Federated Search = Federated Detection
When prebuilt detections in your SIEM are not good enough, or when relying on your EDR’s “black box” detection and alerting logic isn’t good enough, detection engineering programs bridge the gap. Detection engineering requires fast iteration, broad telemetry access, and operational flexibility. While detection-as-code platforms have helped mature this discipline, they come with limitations, primarily around data access, the same issue that has tormented SOCs and SecDataOps teams!
Most DaC platforms integrate tightly with a few select platforms, usually SIEMs or popular data warehousing tools such as Databricks and Snowflake, where data is already ingested. This means:
- Ingest Constraints: If the data wasn’t ingested, you can’t write detections against it.
- Limited Customization Support: Not every single DaC platform supports custom data sources. Have your own Security Data Lakehouse? If it’s not hosted on a specific technology DaC cannot help.
- Limited Normalization: DaC tools may help you quickly onboard detection engineering, but there will still be issues when the data written is not normalized.
- Not Standalone: DaC tools, obviously, help with detections. You will still need to build or buy your own SDM tool or author numerous one-off data engineering tools and ETL pipelines to serve the data into the DaC tools.
Federated detections, powered by federated search, breaks these constraints.
- Write once, detect anywhere. Build a detection using Query’s unified schema (OCSF), and search across Microsoft, CrowdStrike, AWS, and more without porting logic.
- Test detections in real-time against remote data sources, before you push them to production.
- Decouple detection engineering from data engineering. Focus on outcomes, not ingestion logistics.
- Less pipelines, more searching. Don’t rely on complex and expensive SDM or custom ETL, use the data normalized at search time.
Federated detection is the connective tissue between your detection logic and the troves of disparate data sources needed to power your detection engineer engine, federated detections gets the blood pumping (it gets the people going!).
Federated Detection vs Traditional SIEM-Centric Detection
While traditional SIEMs offer robust alerting and correlation features, they were always purpose-built to be the sole nexus of all security-relevant data sources. Relying solely on native SIEM detections or limited DaC integrations greatly reduces the decision support and SecOps capabilities of your teams.
| Capability | SIEM-Only Approach | Detection-as-Code Platforms | Federated Search Approach |
| Coverage | Limited to ingested data | Limited to integrated platforms | Any API-accessible data source |
| Cost | Scales with data volume | Requires centralization for action | Query data in place, reduce ingest costs. Pay per connector, not per GB. |
| Time to Detect | Delayed by ingestion & indexing | Fast, if data is ingested | Real-time, across environments at API speed |
| Detection Flexibility | Tool-specific query languages: SPL, SQL, KQL, CQL, etc. | (Limited) query translation to target platforms | Query translation to target platforms |
Like we said, instead of being staked to a specific SIEM or to a handful of SIEMs or expensive data warehouses due to your DaC partner, federated detections powered by federated search helps you to decouple and deploy your workforce towards more prescient issues.
Federated Detection Use Cases
Alert Triage in High-Volume Environments
Detection engineering is most often deployed to reduce the signal-to-noise ratio in environments generating high alert volumes, as well to detect novel tradecraft and behaviors across raw data (e.g., Windows Event Logs, Sysmon, eBPF).
Using federated detections and federated search, SOC analysts can triage alerts by querying across EDR (e.g., CrowdStrike FDR), Entra ID sign-ins, Microsoft Defender events, and AWS logs, without waiting on central SIEM ingestion. This contextual enrichment at search time can lead to faster dismissals of false positives and more confident escalations, directly improving MTTR (Mean Time to Resolution).
Using federated search to answer parallelized just-in-time ad-hoc requests alongside that same parallelization across disparate sources for detection engineering will greatly improve the hand-off and continuous improvement loop between Triage, CERT, Hunting, and Detection Engineering teams!
Accelerated Detection Content Development
When new threats, and associated content about the threats emerge, detection engineers must build and validate detection logic quickly. Federated detections enable engineers to test hypotheses across live telemetry from disparate tools, even if that telemetry isn’t indexed in a SIEM. This enables them to iterate, test, and deploy high-fidelity detections faster without the overhead of ETL or index time constraints.
Detections can be written in native SPL using the Splunk App for Query Federated Search, defined in the console, or developed with a REST API or GraphQL API. Other federated search solutions may not offer the same mechanisms, however. Since all of the Query Federated Search interfaces are centered on the same OCSF-based lingua franca your engineers can quickly author the soon-to-be-detections as regular searches to quickly iterate on the efficacy.
Threat Hunting at Scale
Advanced security operations (SecOps) teams will forward deploy detection engineers and hunters to uncover stealthy or novel threats. With federated detections, they can investigate hypotheses across unstructured or archived logs, whether stored in cloud object stores, email security appliances, or SaaS app APIs. Because the data remains in-place, hunts are faster and more efficient, and previously siloed signals become accessible in a single investigation workflow.
The ability to reach out to security-specific and security-relevant sources (e.g., ERP, CMDB, CAASM) means threat hunters can gain all of the enrichment and context data they’d need to get at manually. These hunts, if frequently executed, can be further distilled into detection content that can be scheduled to run automatically.
SecDataOps Telemetry Validation and Pipeline Optimization
Security data engineers and architects use detection engineering outcomes to guide telemetry onboarding and enrichment. Working backwards from the detection engineering requirements helps to provide prioritization of what data sources to prioritize and which ones to improve or deprecate. It’s a continuous improvement process that will further develop as relevant threat intelligence (and resultant Priority Intelligence Requirements) are developed and refined.
Using federated search, SecDataOps teams are freed up from focusing on the minute details due to the simplified onboarding “click and point” connectors provide to them. Instead of planning out a roadmap of what sources to wrangle, and then deploying capital or workforce towards them, federated search becomes the common nexus. This can allow SecDataOps teams to pivot towards enabling federated analytics and provide important cost levers to pull in the form of reducing or eliminating spend with SDM and SIEM providers.
Audit, Compliance, and Root Cause Analysis
Whether it is regulatory compliance, industry compliance, corporate compliance, or generic posture management, there are many audit and compliance use cases solved upstream of detection engineering and federated search. For instance, the same mechanisms that enable seamless integration across disparate data sources can be used to prove out technical controls, substantiate root cause analysis, and be used as direct evidence for audits and examinations.
During audits, post-incident reviews, or regulatory inquiries, teams often need to reconstruct a timeline or demonstrate control efficacy. Federated search enables these scoped queries across disparate systems, without exporting data or writing brittle cross-system correlation scripts. The result: faster, defensible answers and dramatically reduced investigation overhead. This helps to bridge the gaps between SecOps and Detection Engineering as well as Enterprise Risk Management (ERM) and GRC Engineering teams.
Keep Your Splunk Investment
Oh, speaking of detection engineering and federated detections, what if you already have invested a lot of money and time into detection engineering and content development on Splunk? We have great news on that front.
Love Splunk but love the cost of sending everything into it a lot less? The Query Federated Search App for Splunk lets you keep your existing workflows and dashboards while giving your analysts access to external data sources, without additional ingest or indexing costs. It’s a no-compromise bridge between traditional SIEM workflows and a modern federated detection strategy.
Our Splunk App comes preloaded with detection content as well to help you accelerate developing your own federated detections as you get acquainted with the Query syntax in SPL.
Conclusion
Detection engineering today requires more than just well-crafted rules, it demands real-time access to diverse data, the ability to iterate rapidly, and the flexibility to adapt to an ever-changing threat landscape. Federated search is the connective layer that enables this, allowing your team to query data where it lives, minimize duplication, and streamline operations.
By using a platform designed specifically for security teams, one that integrates deeply with tools like Microsoft, CrowdStrike, and AWS while supporting open standards like OCSF, your analysts and engineers can move faster, stay lean, and make decisions with clarity.
Ready to reduce friction, cut costs, and supercharge your detection engineering program?
Stay Dangerous
