Introduction
What is FSQL?
Federated Search Query Language (FSQL) is Query's unified language for searching across multiple security data sources through a single interface. It lets security analysts retrieve, filter, and analyze events from diverse platforms without learning a different query language for each one.
How It Works
Query views all data through an OCSF lens: regardless of source, every record is represented as a standardized OCSF event. When you run an FSQL query, you select events and attributes from this data model, apply filters to narrow results, and optionally scope the search to specific connectors and time ranges.
Filters are predicates — an attribute, an operator, and a value (e.g., dns_activity.src_endpoint.ip = '10.0.0.1'). The available operators for a given attribute depend on its data type. Filters can be grouped with AND / OR and negated with NOT. For array fields, ANY and ALL quantifiers control how the predicate is evaluated against list elements.
Key Capabilities
- Unified access — search all your security data sources with one language.
- OCSF-based data model — a consistent schema across every connector.
- Powerful attribute selectors — wildcards, path expansions, category selectors, and set operations let you precisely target the fields you need.
- Entity (observable) shortcuts — track IPs, hostnames, hashes, usernames, and more across all mapped fields with a single
%selector. - Flexible time controls — relative, absolute, and epoch timestamps.
- Rich filtering — equality, substring, regex, CIDR, and list operators with logical combinators.
Next Steps
- New to FSQL? Start with the Quick Start — run your first query in under 60 seconds.
- Coming from Splunk? See FSQL for SPL Users for a side-by-side comparison.
- Coming from Microsoft Sentinel/Defender? See FSQL for KQL Users.
- Ready to go deep? The Query Syntax Reference covers every clause and field selection technique.
Updated 2 months ago