drop mde hunting export · parse device process/network events · runs locally
advanced hunting · device events · local export only
heuristic screener · vendor schema varies · not definitive proof