Ability to build "query workflows"

[rlynnj11]

Goal

Trigger queries based on the results of other queries. More abstractly, the ability to create workflows via low-code/no-code approach in the console available for less technical users.

Note: at time of writing this is a "nice to have" level priority

How?

High level: is if a scheduled query finds $anything, it could in theory perform actions such as (a) do another different query (b) drop a notification in slack (c) hit an API endpoint elsewhere to do a thing

More granular examples:

1. We get a CVE with a known field (To determine impact) that can be searched with OSQuery -> This triggers a scheduled query. -> Get the info and able to quickly determine impact and reduce hours spent.
2. These CVEs arrival to our ticketing platform is unpredictable. An initial idea was to have a scheduled query run twice a week for these CVEs and essentially have the impact-determining info at the ready for a SecOps analyst to confirm. Another idea was to have the scheduled queries trigger after a certain amount of CVEs are ingested. Then run known impact-determining queries to reduce the amount of live query searches in Fleet or outside team/tool usage.
3. Nested Query: No specific example but I could forsee a "If, Then, Else" workflow process for queries determining impact of these vulns. If this vuln had this info turn up in query, then run this query, else...

[mikermcneil]

This is achievable via the REST API today.

We're working with the customer on coming up with a more specific solution for their use case. I'm excited to say that this discussion is what led to the vulnerability automation features coming to Fleet early next year. See #3050 for more on that.