Platform Capabilities

Advanced features for serious security teams

Identity Resolution

IPs to Names. Automatically.

`resolve_identity` correlates IPs to hostnames across DHCP, EDR, and proxy logs. Temporal joins mean accurate mapping even with dynamic IPs. NAT detection flags suspicious multi-host IPs.

resolve_identity
192.168.1.50
jsmith-PC
EDR SYSMON
DHCP Infoblox
Proxy Logs
Investigation
NAT Detected
10.0.0.1 → 47 hosts/hour

process tree:

[powershell.exe]

explorer.exe (PID: 1234)

outlook.exe (PID: 2345)

powershell.exe (PID: 3456)

cmd.exe /c whoami (PID: 4567)

certutil.exe-decode... (PID: 5678)

payload.exe (PID: 6789)

prevalence

common

uncommon

rare

Tree Visualization

See the full picture

Visualize process trees, web session flows, and any parent-child relationship. Integrated prevalence shows what's rare at a glance.

Auto-Enrichment

Context without the clicks

IPs enriched with GeoIP and ASN data. Domains checked against threat intel. Hashes matched to known malware. All automatic.

Enriched in 312ms

5 sources

GeoIP

1

2

3

185.220.101.1

Country: Russia

City: Moscow

Hash Lookup

1

2

3

abc123...

Cobalt Strike

Family: Beacon

ASN Lookup

1

2

3

AS12345

Org: DigitalOcean

Type: Hosting

Asset Context

1

2

3

192.168.1.50

Owner: J. Smith

Dept: Finance

Threat Intel

1

2

3

evil-c2.ru

Known C2

Confidence: 95%

Detection Pipeline

Built different

Rust Backend

Memory-safe, fast, reliable

React UI

Modern, responsive UI

Clickhouse Storage

Columnar storage, billions of rows, sub-second queries

Vector Ingest

High-throughput log ingestion

AI Gateway

Allowing support for any AI provider

Code Samples

Queries that make sense

[detection engine]

// BRUTE FORCE DETECTION

1

2

3

4

5

source_type=auth action=login status=failure

stats count as attempts by src_ip, user

where attempts > 10

sort -attempts

...

// RARE DOMAIN HUNTING

1

2

3

4

5

source_type=proxy earliest=-7d

prevalence window=7d enrich=true

where host_count < 3 AND is_rare=true

table dest_host, first_seen, host_count

...

// PROCESS TREE ANALYSIS

1

2

3

4

5

source_type=sysmon action=process_create

tree process root="*powershell*"

prevalence enrich=true

where depth > 3

...

// BEACONING DETECTION

1

2

3

4

5

source_type=proxy

bin span=10m

stats count by dest_host, _time

streamstats window=6 stdev(count) as jitter by

dest_host

Built by Incident Responders

Ready to hunt?

Get started in minutes. No credit card. No sales call.

Get Started Read the Docs