Query Workers Gallery
Workers case examples across investigation, hunting, identity and vulnerability prioritization — each with the queries it ran, the sources it touched, and the analyst hours it saved.
Overnight Alerts → 5 Confirmed Kill Chains
Overnight triage across 120 unresolved alerts — each with documented rationale for analyst review. Workers surfaced 5 confirmed kill chains spanning EDR and cloud control-plane, prepared 115 for closure with documented disposition, and produced a single morning briefing for the on-call analyst. Cross-investigation memory connected three of the five.
ITDR Assessment — Service Account Browser Login
Eight MITRE identity techniques tested across 2 IdPs over 7 days. Surfaced a service account performing interactive browser logins outside normal automation patterns — a 7-day insider risk pattern that no existing alert had fired on. Recommendation: re-scope the account, add behavioral detection.
Two Unfamiliar Signins → 57-Host C2 Compromise
Two unfamiliar sign-in alerts, individually low-priority. The senior reviewer correlated them against a prior contentserver C2 investigation and exposed a 57-host compromise. The review process moved severity up, not down — the case the agent’s first pass had under-called.
Cross-Boundary Living-off-the-Land Hunt
Hypothesis: Living-off-the-Land activity crossing trust boundaries undetected. Identified WMI process execution, rundll32 DLL proxying, and cron-scheduled task abuse operating below the existing detection threshold across both Windows and Linux fleets. Three techniques active, no SIEM rule had fired.
PowerShell Fileless Execution Hunt
Hypothesis: fileless PowerShell evading on-disk signature detection. Found encoded payloads executing from memory across 4 hosts, with parent-process chains tying back to a single compromised identity. Detection-engineer specialist produced a Sigma rule for the parent-process pattern.
Zircon Malware Cluster — 9 Endpoints
Defender flagged a malware family across 9 endpoints, all running elevated. Cross-verified low global prevalence (IsIoc flag set), absent signature trust, and a consistent parent-process chain to confirm targeted deployment rather than opportunistic infection. Hosts contained inside 11 minutes of agent work.
Quarterly Entitlement Review — Cross-IdP
Two IdPs, 4 SaaS apps, one quarterly review. Surfaced 17 stale privileged grants from former roles, 9 dormant service accounts, and 4 entitlements requiring manager attestation. No active compromise indicators. Evidence pack auto-generated for SOC2 CC6.1 / CC6.3.
Risk-Based Vulnerability Prioritization
1,247 open vulnerabilities. Four scoring dimensions: exploit intel (EPSS + CISA-KEV), asset criticality, exposure, and compensating controls. 23 fast-tracked for emergency patching — including 4 that ranked low on raw CVSS but high on exposure × asset-criticality.
Malicious File Detections — Active C2 Infrastructure
Three 12-hour alerts, three different LOLBins (bitsadmin, certutil, encoded PowerShell). Hash-pivot surfaced 3 more compromised hosts — including a Linux web server using /etc/ld.so.preload persistence — and confirmed all 3 known-bad hosts are actively conducting outbound port-scanning against external infrastructure. FATAL alert on credential dumping (T1003) on DESKTOP-1043.
YTTRIUM APT Multi-Host Compromise: Self-Correction
A 30-day lookback returned ~600 detection records, 53 labeled APT28 (Dukozy, Seadask, YTTRIUM). Workers built a high-confidence nation-state verdict. The senior reviewer caught that the enrichment queries had dropped the status filter the intake query used. All 53 had already been resolved as benign by the source platform. Attribution withdrawn, severity dropped to Standard.
See what your team can do
with Query Workers.
Bring the alerts and work your team never gets to.