Analytics Cases

This feature is currently available only to customers participating in a Public Preview. For details, see Preview Program.

Analytics cases are high-confidence correlations built by the platform to highlight meaningful and potentially malicious activity. Rather than alerting on isolated anomalies, Analytics cases combine multiple suspicious events to create a stronger, context-rich signal that deserves attention.

Purpose

Single suspicious alerts, like an abnormal login or a rarely used secret access, may occur in legitimate scenarios (e.g., travel, temporary access). However, when these events are linked together in a sequence, they may indicate a true security incident.

Analytics cases help reduce alert fatigue and false positives by focusing only on sequences of events that are more likely to be malicious.

Framework

An Analytics case is generated and updated based on the following logic.

Trigger: Suspicious Login Alert

The system first detects a suspicious login event, such as: Brute-force login attempt, MFA bombing or fatigue attack, atypical location or impossible travel.

Followed by: Suspicious Behavior Alert(s)

Within a short period, if the user account shows additional suspicious behavior, such as:

  • Accessing rarely used secrets

  • Behavior anomalies uncharacteristic of the user, or

  • Any other alerts from this category, as described under the Analytics list of alerts

An Analytics case is created to correlate these events.

Appended alerts: Timeline(s)

If further suspicious behavior alerts are triggered within 3 days of the original suspicious login, they are appended to the existing case, building a timeline of concerning activity.

By combining alerts into a single case:

  • False positives are reduced. Individual alerts that might otherwise be ignored (e.g., accessing a new region or a rarely used secret) become meaningful in context.

  • Investigations are faster. Security analysts can view the full picture in one place.

  • Confidence is higher. Correlating multiple signals increases the likelihood of identifying true compromise.