Sequence (Multi-tool Comparison) Use Case
Return to Use Cases

Attacks are multi-step. Phish → macro → C2 → credential dump → lateral movement → exfil. The kill chain crosses every boundary — endpoint, network, cloud, identity. But every tool in the stack only sees its piece.

EDR sequences within the endpoint — blind to network and cloud. NDR sees traffic — can't link it to the process or user. XDR promises to unify but only sequences within one vendor's ecosystem. CrowdStrike XDR sees CrowdStrike data. Palo Alto XDR sees Palo Alto data. Cross-vendor? Still your analyst, manually, hours later.

SIEMs are worse — single-event rules with no ordering, no negation, no state. They can count ("5 failed logins") but can't express "A then B then NOT C, within 10 minutes, by the same user." And they run on a schedule, not in real time.

The result: each tool fires its own alert on its own step. Nobody detects the chain. Your analyst reconstructs it by hand across 3-4 consoles — if they catch it at all.

How spotr.io Does It

Sequence detection models define multi-step, ordered event chains with time windows, entity correlation, and negation — all evaluated in real time on the stream. Vendor-agnostic. Auth logs, endpoint telemetry, network data, cloud events, identity systems — one model, one detection, across all sources.

Negation is native: "login from new geo BUT no MFA challenge" detects what didn't happen. Time windows enforce ordering: "A before B, within X minutes, by the same entity." Cross-source correlation means a single sequence can span Sysmon events, firewall logs, Okta auth, and AWS CloudTrail.

The state engine tracks active sequences as they unfold in real time. The detection fires the moment the chain completes — not on the next hourly batch run.

The Conversation

"Can any single tool in your stack detect a multi-step attack across endpoint, network, cloud, and identity?" — Almost always no.

"Can it express ordering and negation in one rule?" — That's where they go quiet.

"How long does it take your analysts to reconstruct a kill chain across your tools?" — Hours. If they catch it at all.

"What if the kill chain was one detection, across all sources, in real time?" — That's spotr.io.