Security Operations has always been a data game. Every investigation, detection, or response workflow depends on how quickly teams can access, understand, and act on information. The challenge isn’t lack of data, it’s the inconsistency across data when every system speaks its own language.

At Query, we see this as a missed opportunity. Security-relevant data, whether it lives in your SIEM, data lake, endpoint tools, or identity systems, should be treated as a product: clean, consistent, and ready to be consumed by security teams. That’s what data normalization enables, and why we’ve enhanced our Configure Schema feature.

Turning Siloed Data into a Strategic Asset

Data normalization is the foundation of an effective security data mesh. It transforms the inconsistent, source-specific formats from dozens of tools into a common structure, allowing security data to be used seamlessly across use cases, from detections and threat hunting to investigations and compliance reporting.

When data is normalized:

  • Correlations span more sources. Analysts can connect events across systems that were never designed to work together. A suspicious login, a data transfer, and a privilege escalation can be recognized as part of the same attack chain.
  • Investigations get faster. Every field—IP, user, hostname—means the same thing everywhere. That removes the “translation tax” analysts pay with every pivot.
  • Automation gets smarter. Normalized data improves the precision of machine learning and AI models, reducing noise and false positives.
  • Compliance gets easier. Reporting and audit evidence draw from one consistent data model, reducing manual cleanup and validation.

Normalization turns scattered data into operational leverage.

Mapping Data in Minutes, Not Hours

That’s where Configure Schema comes in. Mapping data from disparate sources can usually take hours of a security engineer’s time. With the latest release of Configure Schema, it takes less than 15 minutes.

A new multi-step wizard streamlines the process from field import to schema mapping to validation. The enhanced data mapping CoPilot recommends event classes and attribute mappings automatically. You can map data stored in a dynamic source like Splunk, Snowflake, or Amazon S3 to the Query Data Model in minutes, not hours.

A Simpler Path to Normalized, Federated Security Data

These enhancements aren’t just about speed—they’re about enabling the broader vision we’ve been building toward: a security data mesh that connects all your relevant data without the need to centralize it. Query’s Configure Schema is the bridge between your dynamic sources and our common data model, allowing you to use what you already have, without having to build or maintain data pipelines.

This aligns directly with our product mission: to make it easier to use distributed security data as a strategic advantage, so teams spend less time wrangling data and more time improving security outcomes.

See It in Action

You can read Query VP & Distinguished Engineer Jonathan Rau’s deep dive on the enhanced Configure Schema experience here.

Or, if you’d like to explore how Query can help your team normalize, connect, and operationalize security data across your environment, speak with one of our SecDataOps experts.