Sub-second search · 2,000+ correlation rules · UEBA-powered anomaly detection
Impossible travel: London login 2h after Tokyo logout
C2 beaconing to known-bad domain: cryptolock[.]refund
Suspicious PowerShell: encoded command + bypass execution policy
Privilege escalation: admin role assumed without MFA
Unusual query pattern: 8,000 reads in 60s from analytics service
Port scan from external IP: 1,400 probes in 3m
Successful MFA challenge for jdoe@example.com
Ransomware process behaviour: VSS deletion + encryption APIs