Security operations is undergoing a transformation. Teams are demanding data infrastructure that is not only open and composable, but also optimized for scale and simplicity. With our latest release, we are making the second generation of the Tenzir Query Language (TQL) the default, just six months after its initial debut. Let's recap what we've achieved—in numbers.
🎯 167 Operators: The Largest Security Data Toolbox Yet
Tenzir now ships with 167 built-in operators, each a purpose-built tool for ingesting, transforming, enriching, or exporting data. These include:
Input & Output Operators: Native integrations with tools like Suricata, Zeek, Kafka, Elasticsearch, AWS S3, and more.
Transformation Operators: Filter, map, reduce, reshape, sample, sort, and enrich data with surgical precision.
Utility & Diagnostic Operators: Measure performance, capture metrics, log pipeline behavior, and more.
This unmatched breadth of operators means fewer custom scripts, faster iteration, and easier data onboarding for teams across security and platform engineering. All with a single pipeline tool.
🌐 33 First-Class Integrations: Ready for Your Stack
We have now 33 native, high-performance integrations to core SecOps tools.
Cloud: Amazon S3, Google Cloud Pub/Sub, Azure Blob Storage
Streaming: Apache Kafka, MQTT, ZeroMQ
SIEMs and Data Stores: Elasticsearch, Amazon Security Lake, Google SecOps, Azure Log Analytics
Security Tools: Suricata, Zeek, Velociraptor, YARA
This growing catalog of direct integrations reduces glue code, accelerates time-to-value, and enables composability across traditionally siloed domains.
🚀 TQL: Built for Humans and Machines
TQL is a clean, expressive language for security data operations—designed for today’s data engineers and tomorrow’s AI copilots.
Highlights:
AI readability: TQL is engineered for better compatibility with large language models, making it easier to auto-generate, debug, or explain pipelines.
Human writeabilty: Anyone familiar with Splunk’s SPL or Microsoft’s KQL will feel right at home in TQL.
As-code deployability: Tired of giant YAML or JSON diffs? TQL diffs surgically, letting you track pipeline changes with precision in your CI/CD workflow.
In short: TQL is a query language that empowers humans and scales with automation.
The use case of mapping data to OCSF deserves particular attention. Whenever we find something takes too long, feels too clunky, or is simply not possible to express, we adapt the language. Countless iterations brought us to a state where humans and AI can quickly generate intricate end-to-end transformations in TQL.
Here is just one example from our open source Zeek OCSF mappings:
This assignment transposes the two arrays zeek.answers and zeek.TTLs into a new list of records, as needed for OCSF. The new move keyword takes care of removing the original fields from the zeek record such that unmapped only keeps the fields that have not been touched.
The future of security data operations is open, composable, and unstoppable. Let’s build it together. Whether you’re modernizing detection infrastructure, enriching alerts with context, or building data flows that bridge sensors and storage—TQL gives you the power, flexibility, and clarity to do it better.