Basic querying is something, but it isn't what a security operations center really wants. They want a query language that enables correlation searching with high performance.

This has a user experience component, of course, but is not strictly about UX. One thing we can hopefully do is keep as much of this running on both the server side and the client side, so that we can share as much of this logic as possible.

This also requires a DSL to be able to express the queries.