SIEM analytics
Query, correlate, and detect across every signal source.
A unified analytics surface for 38 telemetry sources — backed by 1,247 detection rules.
Lens-Q· 8 streams attached
source="edr.crowdlens" | where severity >= "high"
| join identity.oktacore on user
| summarize count() by mitre_tactic, asset | order by count_ desc | take 50
Saved searches:
Events ingested (24h)
4.21B
+3.2%24h
Hot index size
218TB
+1.1%24h
Detection rules
1,247
+2.4%24h14 new this week
Median query latency
312ms
-9.6%24h
Log volume
Throughput · all sources
Detection coverage
Sources × MITRE tactic coverage
Recon
Init
Exec
Persist
PrivEsc
Defense
Cred
Discover
Lateral
Collect
Exfil
Impact
edr.crowdlens
cloud.guardwatch
identity.oktacore
k8s.audit
network.netscope
email.inkwell
endpoint.osquery
dns.resolver
Correlation rules
- high
Kerberoast → Lateral
18 hits · 24h
- critical
OAuth scope abuse chain
6 hits · 24h
- medium
DNS tunneling burst
31 hits · 24h
- high
Privileged k8s exec
12 hits · 24h
- medium
Geo-impossible auth
4 hits · 24h
- high
Suspicious model query
9 hits · 24h