drop itdr + edr exports · correlate identity alert to host session · runs locally
drop itdr + edr exports · local only
heuristic screener · vendor schema varies · not definitive proof