Use Case · Cyber Incident Review

From scattered signals to a clear incident record.

IR and security teams feed Setara their logs, audit trails, messages, and OSINT context. Setara·Core resolves them into a verified timeline, an actor-asset relationship map, and a structured briefing ready for legal, board, or regulatory review.
Request AccessSee how it works
The challenge

The problem every IR team knows.

After containment, the real work starts. Evidence is spread across a SIEM, three cloud provider logs, endpoint telemetry, Slack threads, and a handful of email exports. Timestamps disagree. Source formats differ. The analyst who handled the first 48 hours is already on the next engagement. The pressure to produce a clear, defensible account of what happened, when it happened, and who was involved, compounds with every hour the record stays incomplete.
  • Log sources use different timestamp formats and time zones, making sequence reconstruction error-prone and slow
  • Attacker-to-asset relationships are buried across separate data sets with no shared key
  • Narrative gaps create risk when the report reaches legal counsel or a regulator
  • Manual correlation in spreadsheets or a SIEM query console does not scale to complex, multi-vector incidents
  • Context from open-source signals, such as threat actor attribution or exposed credential data, lives outside every internal tool
Challenge layer
The asymmetric environment
9
Log sources
cloud · endpoint · SaaS
2.1M
Raw events
first 72h
4
Time zones
to normalise
6
Actors
in scope
183
Assets
potentially touched
Heterogeneous logsClock skewGap detectionLateral movementExternal signals
Process

How Setara works for incident review.

Setara·Core ingests your raw evidence, normalises it, and produces four structured outputs: a verified Timeline, an Evidence Map, a Relationship Graph, and a structured briefing. Nothing is invented. Every entry in the output traces back to a source artefact in the input.
  • Ingest: logs (SIEM exports, CloudTrail, VPC Flow, endpoint telemetry), audit trails, email and message exports, CSV, screenshots, and open-source context feeds
  • Resolve: Setara·Core aligns timestamps, deduplicates events, and surfaces correlated signals across all sources
  • Timeline: a single, ordered sequence of events with source attribution for every entry
  • Evidence Map: a structured index linking each event to the artefacts that support it, built for review by legal counsel or a regulator
  • Relationship Graph: actors, accounts, assets, and the connections between them, drawn from the evidence rather than assumed
  • Structured briefing: a formatted, counsel-ready narrative exportable for board, insurer, or regulatory use
Azure activity
Gmail · M365
Phone calls
Transcriptions
Screenshots
Documents · PDF
Slack · Teams
Audit logs
CSV · datasets
Public context
Setara
core
Structured timelineEvidence mapConnected pathwayCounsel-ready brief
Feature · Timeline

A single timeline from every source.

Setara correlates events from heterogeneous log sources into one chronological record. Each entry carries its source label and timestamp provenance, so the sequence is verifiable, not just plausible. When a regulator or counsel asks why a specific event appears at a specific point, the answer is in the record, not in an analyst's memory.
  • Cross-source timestamp normalisation across cloud, on-prem, and SaaS log formats
  • Event deduplication that preserves forensic fidelity rather than silently dropping entries
  • Gap detection: Setara flags periods where expected log continuity is absent
  • Exportable in structured formats suitable for legal disclosure or regulatory submission
setara · matter-2419 · assembling contextlive
matter-2419 · normalised timelineUTC · cross-source
  • 2024-09-12T02:14:08ZCloudTrailConsoleLogin · MFA bypass attemptct-09a4f1
  • 2024-09-12T02:14:33ZOktaAuth success · user svc_deployokta-2218
  • 2024-09-12T02:17:51ZVPC FlowEgress to 185.220.x.x · 4.2MBvpc-77c1
  • 2024-09-12T02:18:04ZEDRProcess spawn · powershell -encedr-3310
  • 2024-09-12T02:22:00ZSIEMCorrelation rule R-218 firedsiem-9981
  • 2024-09-12T02:28:14ZSlackOn-call paged · #sec-incidentsslk-441
  • 2024-09-12T02:40:00ZgapLog continuity gap · 11 minutesgap-001
  • 2024-09-12T02:51:09ZCloudTrailIAM role assumed · ops_adminct-09b22e
  • 2024-09-12T03:04:42ZEDRContainment action · host isolatededr-3402
Feature · Relationship Graph

Map every actor, account, and asset.

Incident scope is rarely obvious from raw logs alone. Setara builds a Relationship Graph from the evidence, connecting threat actors to compromised accounts, lateral movement paths to affected assets, and external signals to internal events. The graph makes scope visible before the post-incident report is written.
  • Actor-to-account linkage derived from authentication logs and access events
  • Lateral movement paths reconstructed from network and endpoint telemetry
  • External OSINT context, such as known infrastructure or exposed credentials, mapped against internal artefacts
  • Asset impact assessment: which systems, data stores, or accounts appear in the evidence trail
Email
Document
Audit log
Message
Screenshot
Public filing
External signal
Internal evidenceOpen-source context
Feature · Briefing

A briefing legal and the board can actually use.

The structured briefing Setara produces is not a raw data dump. It is a formatted narrative organised around the sections a post-incident review requires. What happened, how the attacker moved, what was affected, how the response unfolded, and what the evidence shows. It is built to serve multiple audiences from a single source of truth.
  • Sections map to standard post-incident review structure: timeline, root cause, impact, response actions, and recommendations
  • Every claim in the narrative references the evidence artefact it comes from
  • Formatted for legal counsel, insurers, board-level review, and regulatory reporting
  • Produced from matter-2419 class evidence sets without manual reformatting
matter-2419 · incident scoperesolved
Step 1 of 5·Show raw evidence
Filter by source
Signal legend
Evidence signalPotential anomalySystem eventSupporting sourceNeeds reviewRelationship path
Reconstructed sequence
pending
Reveal signals and draw pathways to reconstruct the sequence.
Explain this connection

Tap any signal or pathway to see why it matters to the wider sequence.

Audience

Built for IR and security teams under time pressure.

Setara is an intelligence layer, not a replacement for your SIEM or forensic toolkit. It takes the outputs of your existing investigation, the exported logs, the collected artefacts, the pulled thread of messages and audit events, and turns them into a structured record. The people who benefit most are the analysts writing the post-incident report, the team lead presenting scope to the CISO, and the counsel who needs a defensible account of what the evidence shows.
  • Works from exports and artefacts already collected during active response
  • No agent installation or infrastructure integration required to begin
  • Accepts the mixed, messy formats that real incidents produce
  • Produces output that travels upstream to legal, risk, and executive stakeholders without translation
setara · matter-2419 · assembling contextlive
Scattered evidence
email · 09:14
screenshot.png
audit log · gws
doc · NDA-v3
chat · slack
OSINT · domain
Structured sequence
Day 1 · Tue
09:14Inbound email, vendor NDA
10:02Drive download · 38 files
11:47External upload · personal acct
14:21Public filing match · OSINT
16:08Audit log · privileged access
Briefing
Counsel-ready in 41h
ready
Request access

Get a clearer incident record, faster.

Setara is available by access request. Bring your next post-incident review to us and see what the evidence actually shows.