drop 2+ soar run exports · correlate incident id + shared indicators · runs locally
drop 2+ soar run exports · local only
heuristic screener · vendor schema varies · not definitive proof