Sequence (SIEM Comparison) Use Case
Return to Use Cases

Attacks aren't single events — they're sequences. Phish → macro execution → C2 callback → credential dump → lateral movement. Each step looks benign on its own. The attack only becomes visible when you see the chain.

SIEMs detect one event at a time. No memory of what came before, no awareness of what should come next. Threshold rules can count ("5 failed logins") but can't express ordering ("login from new geo, THEN privilege escalation, within 10 minutes, by the same user"). And they can't express negation — "this happened but that didn't follow" — which is often the strongest signal that something is wrong.

The result: analysts manually reconstruct attack chains during investigation, hours after the fact. The detection fired on step 4. Steps 1-3 were invisible.

How spotr.io Does It

Sequence detection models define multi-step, ordered event chains with time windows, entity correlation, and negation — all evaluated in real time on the stream. "Login from new geo → privilege escalation → no MFA challenge → data access" becomes a single detection model, not four separate rules stitched together by a human.

Cross-source correlation means a sequence can span auth logs, endpoint telemetry, network data, and cloud events in one model. The state engine tracks active sequences as they unfold — firing the moment the chain completes, not on the next scheduled search.

The AI SOC Analyst presents the full chain as a single narrative signal: here's what happened, in what order, across which systems, and why it matters.

The Conversation

"Can your SIEM detect a multi-step attack as a single detection?" — Almost none can natively.

"Can it express ordering, negation, and cross-source correlation in one rule?" — That's where they go quiet.

"What if every kill chain was one signal instead of a week-long investigation?" — That's spotr.io.