Threat
Hunt

ES|QL-powered hunting tools — same tools used by the DCO Triage Agent

Correlated Events by IP

Build a timeline of all security events from a suspicious IP within 24 hours.

Beaconing Detection

Identify C2 beaconing patterns — outbound connections with regular intervals.

Lateral Movement

Detect credential abuse — same user/IP authenticating to multiple hosts.

Process Chain Analysis

Analyze parent-child process trees on a host (e.g., EXCEL → cmd → powershell).