Federated Detections

Overview

Federated Detections revolutionize security monitoring by enabling real-time threat detection across all your distributed data sources; without the need to duplicate, move, or centralize your data. Built on the Query Security Data Mesh, Federated Detections continuously monitor for indicators of compromise, policy violations, or suspicious activities across your entire security ecosystem.

How It Works

Federated Detections operate through a streamlined process that delivers immediate security insights:

1. Continuous Monitoring

Scheduled FSQL queries execute across your federated data sources at configured intervals, searching for security patterns and anomalies.

2. Intelligent Analysis

Each detection evaluates results against configurable thresholds to determine if suspicious activity has occurred.

3. Instant Alerting

When threats are detected, alerts are automatically dispatched through your preferred channels—webhooks, email, Slack, or custom integrations.

4. Investigation Ready

Every alert includes a replay link that takes you directly to the Query.ai interface for immediate investigation.

Detection Outcomes

Every detection run produces one of three clear outcomes:

MATCHED

Suspicious activity detected that meets your configured criteria. Alerts are automatically dispatched and investigation links are generated.

NOT_MATCHED

No threats detected in the monitoring window. Your environment is operating normally according to the detection criteria.

ERROR

Detection execution encountered an issue. Error details are logged and can trigger alerts for immediate attention.

Key Benefits

Zero Data Movement

Query your data where it lives without ETL processes, data duplication, or storing data in Query. Federated Detections work directly with your existing data infrastructure.

Real-Time Protection

Early termination technology can stop searches as soon as threats are found, delivering alerts in seconds rather than waiting for complete query execution.

Cost Effective

Smart thresholding means searches stop when criteria are met, reducing compute costs while maintaining comprehensive security coverage.

Complete Audit Trail

Every detection run is logged with full details including match counts, execution times, and investigation links for compliance and forensics.

Common Use Cases

Failed Authentication Monitoring

Detect suspicious login patterns, brute force attacks, and credential compromise attempts across all your authentication systems.

Example Detection: Monitor for multiple failed login attempts from the same source IP within a 15-minute window across all identity providers.

Data Exfiltration Detection

Identify unusual data transfer patterns, large file downloads, and off-hours data access that could indicate data theft.

Example Detection: Alert on data transfers exceeding 1GB outside business hours or to unusual destinations.

Privilege Escalation Alerts

Catch attempts to escalate privileges, unauthorized administrative actions, and suspicious elevation of user permissions.

Example Detection: Monitor for successful privilege escalation by non-administrative users across endpoint and identity systems.

Insider Threat Detection

Identify anomalous user behavior, policy violations, and activities that deviate from normal patterns.

Example Detection: Detect users accessing sensitive resources outside their normal access patterns or business hours.

Alert Integration

Federated Detections integrate seamlessly with your existing security workflow:

Webhooks: Send structured detection data to your SIEM, SOAR, or custom applications
Email Notifications: Deliver alerts directly to security team inboxes with investigation links
Slack Integration: Post alerts to dedicated security channels for team collaboration
Custom Handlers: Build integrations with PagerDuty, ServiceNow, or any system via our extensible alert framework

Configuration & Management

Flexible Scheduling

Set detection frequencies that match your security requirements—from every minute for critical threats to hourly for baseline monitoring.

Threshold Control

Configure match thresholds to balance alert volume with detection sensitivity. Set higher thresholds for noisy environments or lower thresholds for critical assets.

Severity Classification

Categorize detections by severity (LOW, MEDIUM, HIGH, CRITICAL) to prioritize response efforts and route alerts appropriately.

Multi-Tenant Support

Organize detections by tenant, team, or business unit with isolated configuration and alert routing.

Getting Started

Define Your Detection Logic

Work with our team to identify the security patterns most relevant to your environment and create FSQL queries that detect them.

Configure Alert Routing

Set up alert destinations to ensure the right people get notified when threats are detected—integrate with your existing tools and workflows.

Federated Detections provide the automated monitoring and rapid alerting capabilities your security team needs, without the overhead of traditional SIEM data ingestion. Experience the power of detecting threats across your entire data ecosystem in real-time.

Ready to implement Federated Detections in your environment? Contact your Query.ai representative to discuss detection strategies tailored to your security requirements.