drop ndr + edr exports · correlate network alert to host incident · runs locally
drop ndr + edr exports · local only
heuristic screener · vendor schema varies · not definitive proof