Introduction

To continue pushing our mission of providing security and IT teams the ability to treat decentralized or distributed datasets as a central source, the team here at Query is always looking to onboard and update Connectors into the Query Security Data Mesh. Some of these Connectors have existed for a few months, but we never directly wrote about them, and some have gotten updated to be more performant and consistent with vendor APIs. In this short blog entry you will learn about the new and updated Connectors, and learn about some of the upcoming Connectors we are working on.

1Password – New Connector

1Password is a secure, enterprise-grade password manager designed to centralize and protect authentication secrets, credentials, and sensitive records across teams and infrastructure. It offers capabilities for managing user access, sharing vaults securely, enforcing strong password policies, and monitoring sign-in activity through its Events API. Organizations can integrate 1Password with identity providers and security tools to ensure compliance, minimize credential sprawl, and gain visibility into account usage. Its developer-friendly APIs and event streams make it ideal for inclusion in security analytics and data mesh platforms where identity and authentication telemetry play a critical role in threat detection and auditability.

The Events API is directly searchable, making it a great candidate to extend into the Query Security Data Mesh with federated search. Notably, every audit event and authentication events can be searched in a standardized way using the Query Data Model (based on the Open Cybersecurity Schema Framework (OCSF)). As a result, analysts can filter, correlate, and pivot across observables such as email addresses, IPs, user IDs, and device UUIDs with ease. This standardization enhances situational awareness by connecting identity-centric telemetry from 1Password to other security domains; helping teams detect anomalous logins, privilege misuse, or compromised accounts in real time.

The customer we built this Connector for has two identity providers, a browser security solution, custom logs stored in BigQuery, and is a user of 1Password. Having this Connector, Push Security (covered later), BigQuery, Entra ID, Google Workspace, and other Connectors allows them to instantly gather context on any user in their environment, Query automatically parallelizes and executes the queries to bring back all relevant details.

To learn more about our 1Password Connector, refer to our documentation.

OX Security – New Connector

OX Security is an Application Security Posture Management (ASPM) platform that integrates with several traditional AppSec, Cloud Security, and Software Supply Chain tools such as source code platforms, SAST, IAST, DAST, vulnerability management, artifact registry, container registry, and other platforms to provide a full spectrum picture of salient AppSec-related issues. For instance, instead of reporting on singular vulnerabilities in Software Composition Analysis (e.g., Snyk, Dependabot) for a given repo, OX Security will gather those vulnerabilities, as well as reachability, infrastructure, repo configuration, pipeline data, and other security tools to correlate all of the related attack paths into a singular Issue.

Query integrates OX Security into the Security Data Mesh by allowing users to collect all Apps (which represent anything from GitHub repos, to ECS clusters, to Kubernetes clusters) and Issues (the primary architectural quantum of security findings in OX Security) without ingesting or duplicating any data. Query uses its OX Security Connector to sit as a shim atop their GraphQL API endpoint to retrieve data on those Apps and Issues, handling query translation, pagination, in-situ normalization, and returns the collated results to you. From there, you can pivot across shared Attributes such as CVEs, CWEs, code owners, and otherwise to expand your searches into CMDBs, cloud security platforms, SIEMs, data lakes, and other locations to complete your objectives.

Traditionally, Application Security data has been disaggregated from central Security Operations due to tool-centric ownership of these tools, despite some important context being stored in them. Now, with the Query Security Data Mesh and OX Security, SOC teams and others can easily peer into this world of Application Security to understand “left of boom” issues in applications that may be implicated in a security incident.

To learn more about our OX Security Connector, refer to our documentation

Push Security – New Connector

Push Security is a browser-based Identity Threat Detection & Response (ITDR) tool that integrates with popular browsers across any device and your Identity Provider (IdP) of choice such as Google Workspace or Okta. From there, Push Security analyzes all of the applications that users access, applies policies and determines best-practice configurations, as well as detects novel browser-based tradecraft and moves to stop it automatically. Push Security also offers a simple REST API that allows you to view all of these data points in a centralized location, or, federated via Query Federated Search powered by the Query Security Data Mesh.

Query Federated Search allows you to parallelize search across common metadata within the Push Security data model. For instance, the Employees are generated from IdP connections while the Accounts are derived from actual SSO (SAML, OAuth2) app grants, searching on an email address will provide all of the associated records plus information on the device/browser used and any applicable Findings or Detections impacting the user. Zooming out, when used in concert with other Query Federated Search Connectors you can get raw logs from the IdP such as Entra ID sign-in and audit logs or Google Workspace activity logs, as well as MDM or EDR data by the same data points.

As mentioned before, the customer who requested this Connector was the same customer for 1Password and has a large amount of identity-centric data they needed to search. Push Security has additional metadata atop the identity provider sourced data as well as important policy and configuration posture and first-line security events. Unifying all of these data sets with federated search via the Query Security Data Mesh greatly improves decision making support for security operations versus running through multiple tabs for each product.

To learn more about our Push Security Connector, refer to our documentation

CrowdStrike Falcon APIs – Updated Connector

The Crowdstrike Falcon platform is a multi-domain Endpoint Protection Platform (EPP) inclusive of Endpoint Detection & Response (EDR), Identity Threat Detection and Response (ITDR), Cyber Threat Intelligence (CTI), Threat & Vulnerability Management (TVM), and other capabilities. Customers use Crowdstrike to protect their hosts and overall asset footprint from a variety of viruses, malware, and other threats to Windows, Linux, and MacOS environments in addition to external threats from cloud misconfigurations and software vulnerabilities.

Query integrates with several APIs within the Crowdstrike Falcon EDR ecosystem which are leveraged to query and investigate users with platform access, devices onboarding to Crowdstrike Falcon, Alerts, and/or Incidents created automatically or via customer rules. Query utilizes the FalconPy official SDK for Crowdstrike to securely access data, submit searches, and subsequently normalize the results. Federated search allows customers to support Incident Response, Investigations, Threat Hunting, Audit, and other security & observability tasks that require Falcon EDR data. This is all done without duplicating or retaining data in another system.

Recently, CrowdStrike deprecated their “Detections” API, favoring the “Alerts” API endpoint to collect findings across the various Falcon capabilities and SKUs. We have likewise deprecated support for this API to reduce false positive error rates and updated the Alerts mappings to reflect this change. You can now use details in the `metadata` and `product` OCSF/QDM objects to specify certain SKUs or broadly search across EVERY finding of note surfaced by CrowdStrike.

A majority of our customers are already CrowdStrike customers, and make heavy usage of this Connector as they can centrally reach CrowdStrike data through federated search as either the entrypoint into their SOC runbooks, or as important correlation data. For instance, customers often start in our federated reporting capability – Summary Insights – to get a list of all active incidents and alerts. From there, they often pivot on common Entities such as IP Address, MAC Address, Serial Number, Hostname, or Username to gather contextual information from our other Connectors. If you have Intune-managed devices with CrowdStrike Falcon sensors, doing a hostname pivot will pull in data across Entra ID, Intune, CrowdStrike, and other host-level log data stored in Snowflake, CrowdStrike Falcon LogScale, Amazon Security Lake, or otherwise. Likewise, any first-party Incidents created in CrowdStrike with associated behaviors will also be brought into context in Query.

From there, you can discover attacker-specific artifacts and behaviors to facilitate new searches and pivots. Within two or three searches, SOC Analysts have ALL of the answers they could need to create incidents, close findings, execute countermeasures, or otherwise!

To learn more about our CrowdStrike Falcon API Connector, refer to our documentation

ServiceNow – Updated Connector

ServiceNow is the world’s preeminent IT Service Management tool, offering a comprehensive Configuration Management Database (CMDB) and several hundred plugins and capabilities to enable everything from SecOps to self-service password changes to managing large scale inventory of every bit of software, hardware, SaaS apps, and other configuration items. To that end, ServiceNow often serves as the cornerstone of IT and security contextual data as well as the primary mechanism for managing incidents and other problems in an enterprise.

The ServiceNow Connector for the Query Security Data Mesh enables secure, federated access to your ServiceNow instance without centralizing or duplicating any data. It allows analysts to search, correlate, and analyze ServiceNow records (e.g., incidents, change requests, and assets) alongside telemetry and events from any other connected source, directly through the Query Security Data Mesh. 

This Connector exposes ServiceNow’s structured tables (e.g., Incident, Task, Asset, and CMDB) as queryable datasets. Analysts can perform cross-domain investigations, enrich findings with contextual ticket or asset data, and build detections or dashboards that span identity, configuration, and operations data. All of this is possible while preserving ServiceNow’s native access controls and governance.

We have updated this Connector and the documentation to better integrate with the Table API and perform schema introspection and metadata discovery across nearly any table (that we’ve tested) in ServiceNow. We recently completed testing against the Zurich release and helped a customer onboard their ServiceNow tables into Query to facilitate searching of a variety of CMDB CI items and ServiceNow’s Security Incident Response (SIR) tables. Our documentation now clearly spells out the permissions required and how to configure them, and the implementation has improved complex multi-conditional filtered searches against the various fields in onboarded tables.

To learn more about our ServiceNow Connector, refer to our documentation

Future Connectors

Expanding the reach of the Query Security Data Mesh is one of the most important things we can do in the product, while features such as Security Data Pipelines and Federated Detections are also important, it does no good when the right data cannot be reached. To that end, here are some of the Connectors we’re comfortable with speaking about at this time.

  • CrowdStrike Falcon: We’re never done with CrowdStrike! We are planning to separate each SKU into its own Connector, which means CrowdStrike Spotlight (vulnerability management) and CrowdStrike Identity Protection (ITDR) will be in their own Connectors. 

This is useful for customers with different licenses available as well as to prevent additional false positive errors being reported by our query engine. This will also provide the framework for quicker iteration of any future CrowdStrike Connectors aligned to different SKUs with a common framework being used in our backend.

  • JumpCloud Directory Insights & SSO: JumpCloud is a Single Sign-On (SSO) and Mobile Device Management (MDM) suite that we use at Query primarily to manage devices, enforce software, manage passwords (optionally), and provide SAML-based SSO into other applications. JumpCloud also has several other capabilities such as a software catalog, LDAP connectivity, and more. 

We are planning to onboard several “core” APIs such as Systems and Users, alongside Directory Insights audit logs from SSO events, system lifecycle, password manager access, and M2M authentication. This will allow for greater situational awareness of Customers who are using JumpCloud for SSO and MDM as well as downstream IdPs we support such as Entra ID, Google Workspace, Auth0, and Okta.

  • Microsoft Entra ID PIM: Entra ID Privileged Identity Management (formerly known as Azure PIM) is a PIM solution in Entra ID that enables workflows such as temporary escalation of permissions as well as keep track of highly permissioned users and identities in Entra ID. Entra ID PIM has three primary APIs which expose logs, permissions, and lifecycle separately. Our Connector will be standalone outside of the core Entra ID Connector, and provide a mechanism for correlation and enrichment of these disaggregated APIs into one comprehensive OCSF Event Class you can search and correlate across other data.

There are some others we are planning to support, including very popular network security and email security tools, be sure to follow Query on LinkedIn and subscribe to Query Comms so you don’t miss any product announcements! 

Conclusion

This latest set of new and updated Connectors – 1Password, OX Security, Push Security, CrowdStrike Falcon, and ServiceNow – significantly expands the reach and utility of the Query Security Data Mesh. By enabling federated search across these critical security and IT platforms, we continue to empower security teams to treat decentralized data as a unified source for rapid threat detection, incident response, and proactive security posture management. 

The upcoming Connectors, such as additional CrowdStrike SKUs, JumpCloud, and Entra ID PIM, demonstrate our commitment to eliminating data silos. We encourage you to explore the documentation for these Connectors and start leveraging the power of federated search today to instantly gather context across all your environments. Contact your Query representative or visit our documentation hub to begin integrating these powerful new capabilities into your security operations.

If you want to see it in action yourself, get in touch with our team, we’ll set you up with a trial and train you how to treat your data as a product and enable security decision support. SecDataOps Savages are standing by.

Stay Dangerous