siem-querylisted

# SIEM Query Builder > **Performance discipline**: a correct query that does not return in reasonable time is operationally unusable. A lot of SOC time is lost in queries that scan unnecessarily much data. The second half of this skill is performance discipline, not just syntax. ## When to use This skill is the tooling substrate underneath `detection-engineer` (rules), `log-triage` (incident investigation), `threat-hunt` (proactive), and `ioc-hunter` (enrichment queries). Triggers on: - A question like "write an SPL for X", "translate this KQL into EQL", "why is my query slow", "which index for this data", "set up a summary index". - Cross-platform migration or a multi-platform organization where the same detection logic must exist in both. - Performance tuning of existing queries that are too slow for real-time alerting. - Setting up data models (Splunk CIM, Sentinel ASIM/Watchlist, Elastic ECS) for a consistent schema across sources. ### When NOT (handoff) - Detection-rule design and lifecycle → `detection-engineer`, `alert-tuning`. This skill provides query building blocks; those skills handle the lifecycle. - Triage of live alerts/events → `log-triage`. This skill provides the query; that one analyses the result. - IOC-feed management and threat-intel enrichment → `ioc-hunter`. - Threat-hunt hypothesis design → `threat-hunt` (command). - Forensic depth → `forensics-assist`. - Log-pipeline engineering (collection, parsing, enrichment) → ops team. This skill works wi