Last 24 hours · Apr 19, 2026 05:31 – Apr 20, 2026 05:31 UTC
Generated: 2026-04-20 05:31:53 UTC
SIGMA Detection Overview
Behavioral tokens produced by the SIGMA tokenizer every 15 minutes per asset. Dispositions are assigned by the Occam predictor — suppressed (false positive), investigate (isolated anomaly), present (confirmed signal), or elevated (pre-intrusion alert).
Total Detections
4,821
Pre-Intrusion Alerts
23
Suppressed (FP)
3,947
Assets Observed
847
Avg Surprisal (bits)
1.42
Max Surprisal (bits)
8.73
Detection Timeline
Detections by ATT&CK Tactic
| Tactic | Detections | Avg Surprisal | Avg Anomaly Score | Elevated |
|---|---|---|---|---|
| Benign | 3,284 | 0.38 | 0.02 | 0 |
| Reconnaissance | 487 | 2.84 | 0.31 | 3 |
| LateralMovement | 312 | 3.17 | 0.42 | 5 |
| CommandAndControl | 198 | 4.92 | 0.67 | 8 |
| DataExfiltration | 147 | 5.31 | 0.71 | 4 |
| PrivilegeEscalation | 89 | 3.84 | 0.48 | 2 |
| Persistence | 67 | 4.12 | 0.53 | 1 |
| InitialAccess | 42 | 5.87 | 0.78 | 0 |
| Collection | 38 | 3.41 | 0.39 | 0 |
| Impact | 157 | 2.18 | 0.22 | 0 |
Dispositions Breakdown
Each token observation is classified into one of four dispositions based on the surprisal score and the surrounding sequence context (patent pending).
| Disposition | Count | % |
|---|---|---|
| suppress | 3,947 | 81.9 |
| investigate | 412 | 8.5 |
| present | 284 | 5.9 |
| downgrade_infrastructure_change | 155 | 3.2 |
| elevate_to_preintrusion | 23 | 0.5 |
Detections by Segment
| Segment | Detections | Assets | Elevated |
|---|---|---|---|
| corporate | 2,847 | 512 | 8 |
| datacenter | 1,284 | 187 | 11 |
| dmz | 421 | 34 | 3 |
| iot | 189 | 78 | 1 |
| guest | 80 | 36 | 0 |
Most Anomalous Assets
Most Anomalous Assets
8 rows
| Source IP | Segment | Detections | Elevated | Max Surprisal | Avg Anomaly | Last Tactic |
|---|---|---|---|---|---|---|
| 10.0.12.45 | datacenter | 87 | 4 | 8.73 | 0.82 | CommandAndControl |
| 10.0.3.118 | corporate | 64 | 3 | 7.21 | 0.71 | LateralMovement |
| 10.0.12.201 | datacenter | 52 | 2 | 6.84 | 0.68 | DataExfiltration |
| 172.16.0.89 | dmz | 41 | 2 | 5.92 | 0.59 | Reconnaissance |
| 10.0.8.77 | corporate | 38 | 1 | 5.47 | 0.54 | Persistence |
| 10.0.5.212 | corporate | 31 | 1 | 4.83 | 0.47 | PrivilegeEscalation |
| 10.0.12.15 | datacenter | 28 | 0 | 4.21 | 0.41 | Collection |
| 192.168.1.44 | iot | 24 | 1 | 3.97 | 0.38 | CommandAndControl |
False Positive Suppression
Recurring patterns that the Occam predictor has classified as legitimate. If a suppressed pattern deviates from expected resolution, it escalates to a high-priority alert.
| Tactic | Disposition | Count | Avg Surprisal | First Seen | Last Seen |
|---|---|---|---|---|---|
| Benign | suppress | 3,142 | 0.31 | 2026-04-19T06:31:53 | 2026-04-20T05:31:53 |
| Impact | suppress | 312 | 1.84 | 2026-04-19T07:31:53 | 2026-04-20T04:31:53 |
| Reconnaissance | suppress | 287 | 1.92 | 2026-04-19T09:31:53 | 2026-04-20T05:31:53 |
| Collection | suppress | 124 | 2.14 | 2026-04-19T11:31:53 | 2026-04-20T03:31:53 |
| LateralMovement | suppress | 82 | 2.47 | 2026-04-19T13:31:53 | 2026-04-20T04:31:53 |