Detection without lineage is opinion. Detection with lineage is evidence.
Reduced verdict ambiguity and faster triage. Each alarm arrives with its rule, source telemetry, enrichment, and confidence weighting — so the first question of the shift is decision, not interpretation.
Audit-ready evidence as a property of the deployed system. Coverage and gap are continuous, not periodic; supervisory inspections receive structured lineage records aligned with control frameworks (ISO 27001, POJK, BSSN sectoral, UU PDP).
Intelligible decision-oriented summaries grounded in evidence. Executive narratives — cited to the lake records that ground them — translate operational telemetry into the register the board can act on.
A detection that arrives without its evidentiary chain is, in epistemic terms, an opinion — a verdict whose grounds cannot be inspected, contested, or audited. The Decision Lineage Surface is the architectural commitment that every verdict produced by the platform carries the rule that fired it, the source data examined, the enrichment applied, and the confidence weighting that arbitrated the outcome.
Without lineage, the SOC operates by deference; with lineage, the SOC operates by evidence. The shift is not cosmetic — it changes what an analyst can defend, what a CISO can report, and what a regulator can verify.
Each engine — Apex Vision, Apex Static, Minutia, Behavioral Baseline — emits a structured verdict bound to a canonical event identifier and accompanied by its decision metadata. Aptos normalizes these verdict records under the Mega Lake schema. The Investigation Workspace surfaces the lineage to the analyst as a navigable graph of triggers, sources, and weighted contributions.
Crucially, the lineage record persists across the retention horizon, enabling retroactive verification, post-incident reconstruction, and supervisory audit.
Every alarm can be traced from analyst console back to the precise rule and source telemetry.
Before: alarms surfaced without explainability — analysts disputed verdicts they could not inspect.
Supervisory inspections receive structured lineage records aligned with control frameworks.
Before: incident reports were composed manually under deadline pressure.
Hunters can replay historical lineage against new hypotheses without rebuilding context.
Before: each hunt restarted from raw logs.
"Apex Vision Engine data Menghasilkan full decision trail yang memuat rule atau logika pemicu, data sumber, enrichment."
— NOGTUS Platform Specification