Observation
Point, contextual, collective, conditional, and residual deviations.
00
Activity and observability
Enterprise tacticsATT&CK Activity Catalog
Browse suspicious and malicious activity by MITRE ATT&CK tactic. Every activity includes inline links to the vendor-neutral log sources capable of reporting it.
Open the ATT&CK activity and log-source catalog →00.5
Deterministic detection
Thresholds · signatures · state changesBasic Detection Rule Catalog
Technique-level algorithmic detection logic using exact matches, fixed thresholds, allowlists, state changes, and bounded-window correlations, with direct links to the required telemetry sources.
Open the basic detection rule catalog →Statistical detection
Explain malicious activity as measurable deviation.
The activity-to-anomaly catalog maps ATT&CK-aligned behavior to its comparison unit, expected baseline, measurable deviation, applicable anomaly types, and supporting telemetry. It also identifies activity better handled by signatures or policy rules.
Open the activity-to-anomaly mapping catalog →01
Statistical foundation
118 typesStatistical Anomaly Taxonomy
Time
Trend, level, variance, periodicity, sequence, and change-point behavior.
Distribution
Drift, tail, entropy, modality, quantile, and dispersion changes.
Structure
Multivariate, graph, relationship, spatial, and cross-view anomalies.
02
Observable evidence
175 sourcesSecurity Log Source Taxonomy
01
Endpoint and operating systems
02
Identity and authentication
03
Network infrastructure and traffic
04
Applications, APIs, and databases
05
Cloud, containers, and orchestration
06
Security controls and observability
Working principles
Model the behavior before choosing the detector.
Define the baseline. State the population, entity, peer group, context, and time window.
Verify observability. Confirm that a source records the activity and retains the required detail.
Separate rarity from meaning. Statistical deviation is evidence to investigate, not a conclusion.