drop multiple victim org log sets · correlate shared indicators · runs locally
multi-org log sets · local only
heuristic screener · vendor schema varies · not definitive proof