[ Platform ]

A security data stack, batteries included

Runs on the data in your cloud

Management plane

The management plane is hosted by Perpetual. It provides the web interface, API, and MCP access. All configuration, detection logic, case management, and user state lives here. It does not store or process your security event data.

Data plane

Ingestion, parsing, normalization, query execution, and storage management all run in the data plane, backed by cloud object storage in your account. Event data goes into Apache Iceberg tables in Parquet format.

Not bolted onto anything,
no need for $cloud_data_warehouse

Data never crosses your compliance boundary. It never leaves your cloud account.

Any tool that reads Iceberg and Parquet can query it, not just Perpetual. You are never locked in.

One storage tier, no forced split between cold archive and hot query tier. Cheap enough to keep everything, fast enough to query anything.

Already have a security data lake?

[ 01 / The Semantic Layer ]

Security data, engineered

Security analytics is a data engineering problem. Perpetual treats parsing, normalization, enrichment, and correlation as stages in a processing workflow. Simba sees that entire workflow as context: lineage, transformations, schemas, and documentation.

Start with a question, not with a table name

The catalog tracks every dataset, field, and transformation. Simba uses it to connect the terms analysts use in their questions to the data model and to build the right query.

What sources of authentication events do we have currently?

Let me check what authentication-related datasets are available.

Found 5 datasets matching "authentication"

Found 5 datasets matching "login auth identity access"

Found 5 datasets matching "windows logon active directory kerberos"

Based on my search across your datasets, here's a summary of the authentication event sources currently available:

Summary

Source	Dataset(s)	Auth Event Types
Okta (IdP/SSO)	`okta_events`	Logins, MFA, SSO, session events
AWS CloudTrail	`cloudtrail_events`	Console logins, IAM auth
Windows Security	`sysmon_events`	Logon/logoff, Kerberos, NTLM

[ 02 / Dependency Graph ]

The pieces fit, and you can see how

Perpetual models the entire data pipeline as a dependency graph. Detections depend on normalized data, normalization depends on parsed data, and parsing depends on ingested raw data. Detections can even depend on other detections for scenario detections!

Scenario - Windows ClickFix Initial Access

deploys

scenario_windows_clickfix_initial_access

queries queries queries

signal_windows_suspicious_process_creation

signal_windows_suspicious_usage

queries queries

signal_windows_suspicious_network_connection

queries

sysmon_events

queries

sysmon

queries

connector.sysmon

Scenario - Windows ClickFix Initial Access

Query Detection

Open

Maturity Stable

Severity High

Deploy Yes

Status Deployed

Max Latency 1 hour

Retention 365 days

Updated 2 days ago

Created 4 months ago

Start Time 11/24/2025, 6:06 PM

Datasets View scenario_windows_clickfix_initial_access

Description

ClickFix C2 Activity Detection - Initial Access and Command & Control

Detection Overview

This detection identifies ClickFix malware campaigns that abuse Windows Run Dialog functionality to execute malicious PowerShell commands followed by command-and-control (C2) communications. It correlates three behavioral indicators within seconds: suspicious process creation, Windows Run Dialog registry activity, and network beaconing to known C2 infrastructure (185.91.69.119).

Detection Logic

Data Sources Monitored

[ 03 / Hamelin ]

One query language for everything

Hamelin is a single language for every security operation: parsing, detection, hunting, and investigation. No context switching, no separate syntax to learn.

Security operations spans four activities: parsing, detection, hunting, and investigation. Hamelin is a single language that covers all of them. On many platforms, at least one of these requires a different language, with its own syntax and learning curve. In Perpetual, Hamelin is all you need.

Hamelin queries are readable by design. You can read and understand a query even if you didn't write it and even if you're not an expert in the language. This matters because in Perpetual, most queries are written by Simba.

When Simba investigates a question, you can read its queries to understand its reasoning. When Simba builds a detection, you can read the proposed query to understand exactly how it plans to detect the threat. Review it, discuss it with Simba, change it if you like, and deploy it. If you get stuck writing a query yourself, just ask Simba to finish it for you.

Show me signal count by hour and day

Hamelin query written successfully

1

2

3

FROM signals

| AGG count = count() by timestamp@h

| SORT timestamp ASC

Query completed with 187 results in 2 seconds

Here’s the signal count by hour over the last 7 days:

Date Hour Count

Mar 2 00:00 2,800

Mar 2 01:00 1,862

Mar 2 02:00 2,391

Mar 2 3:00 1,115

Mar 2 00:00 2,800

[ 04 / Examples ]

Parsing

Hamelin can parse any log format into structured fields. It is especially good at parsing JSON. Access the fields in parsed JSON values using the fluent field lookup syntax you'd expect. Hamelin is also good at anchor-parsing printf-style logs. Just use the `PARSE` command. You won't need to reach for regex to do most parsing.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

FROM connector.okta

| LET detail = parse_json(event.original).detail

| LET actor = detail.actor as {

id: string,

type: string,

alternateid: string,

displayname: string,

}

| LET client = detail.client as {

useragent: {

rawuseragent: string,

os: string,

browser: string,

},

zone: string,

device: string,

id: string,

ipaddress: string,

geographicalcontext: {

city: string,

state: string,

country: string,

postalcode: string,

geolocation: {

lat: double,

lon: double,

},

}

| LET device = detail.device as {

id: string,

name: string,

os_platform: string,

os_version: string,

managed: boolean,

registered: boolean,

device_integrator: string,

disk_encryption_type: string,

screen_lock_type: string,

jailbreak: boolean,

secure_hardware_present: boolean,

}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

FROM simba.okta

| LET event = {

id: uuid,

created: published,

provider: 'Okta',

action: eventType,

category: 'authentication',

kind: 'info',

outcome: outcome.result,

reason: outcome.reason,

severity: case(

severity == 'ERROR': 0,

severity == 'WARN': 1,

severity == 'INFO': 2,

severity == 'DEBUG': 3,

severity == 'TRACE': 4,

true: 5

),

ingested: event.ingested,

original: event.original

}

| LET result_client = {

address: client.ipaddress,

ip: client.ipaddress,

user: {

email: actor.alternateid,

full_name: actor.displayname,

id: actor.id

},

geo: {

city_name: client.geographicalcontext.city,

country_name: client.geographicalcontext.country,

postal_code: client.geographicalcontext.postalcode,

location: client.geographicalcontext.geolocation

}

| LET destination = {

address: (request.ipchain[0]).ip,

geo: {

city_name: request.ipchain[0].geographicalcontext.city,

country_name: request.ipchain[0].geographicalcontext.country,

postal_code: request.ipchain[0].geographicalcontext.postalcode,

location: request.ipchain[0].geographicalcontext.geolocation

},

ip: request.ipchain[0].ip,

user: {

email: target[0].alternateid,

full_name: target[0].displayname,

id: target[0].id

}

| LET user_agent = {

original: client.useragent.rawuseragent,

device: { name: client.device },

os: { type: client.useragent.os, name: client.useragent.browser}

}

| LET result_device = {

id: device.id

}

| LET user = { email: actor.alternateid, id: actor.id, full_name: actor.displayname }

| LET okta = {

uuid: uuid,

published: published,

eventType: eventType,

version: version,

severity: severity,

legacyeventtype: legacyEventType,

displaymessage: message,

actor: actor,

client: client,

device: device,

outcome: outcome,

target: target,

transaction: transaction,

debugcontext: debugContext,

authenticationcontext: authenticationContext,

securitycontext: securityContext,

request: request,

timestamp: timestamp

}

| SELECT timestamp, message, event, client = result_client, device = result_device, destination, user_agent, data_stream, user, okta

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

// Main Detection Logic:

//

// Above we detect three distinct events happening in a Clickfix scenario:

// - A suspicious process is launched

// - A registry event signaling a Windows Run Dialog usage

// - Outbound network connections to a known C2 server

//

// Then, we detect a process event and a registry event happening together.

// Technically, the process event precedes the registry event.

// But in Windows, the timeestamps for the events are not very precise

// Therefore, we need look for those two events happening NOT one

// after the other, but in a small time window!

WITH process_near_registry = FROM registry_event = simba.signal_windows_run_dialog_usage,

process_event = simba.signal_windows_suspicious_process_creation

| WINDOW process_event = last_value(process_event),

registry_event = last_value(registry_event)

BY host WITHIN 1s

| WHERE process_event IS NOT NULL AND registry_event IS NOT NULL

// Flatten nested fields to simple top-level columns so MATCH AGG can

// reference them as plain column names (dotted paths are not allowed there).

| SELECT

timestamp,

host,

proc_image = process_event.image,

proc_cmd_line = process_event.cmd_line,

proc_parent_image = process_event.parent_image,

proc_user = process_event.winlog.user.name,

reg_key = registry_event.reg_key,

reg_value = registry_event.reg_value

// Wrap the network signal source in a CTE as well, selecting only the flat

// columns we need, so MATCH AGG can reference them as simple names.

WITH network_event = FROM simba.signal_windows_suspicious_network_connection

| SELECT

timestamp,

host,

dest_ip,

dest_port

// Finally, we are looking for a pattern where a combination of the above

// mentioned process & registry events are on the same host followed by

// outbound network connections to the C2 server.

MATCH process_near_registry network_event=network_event+

AGG event_start = min(timestamp),

event_end = max(timestamp),

// Scalar fields from the process/registry pattern (via first/last)

proc_image = first(proc_image),

proc_cmd_line = first(proc_cmd_line),

proc_parent_image = first(proc_parent_image),

proc_user = first(proc_user),

reg_key = first(reg_key),

reg_value = first(reg_value),

dest_ip = last(dest_ip),

dest_port = last(dest_port),

beacon_count = count(dest_ip)

BY host

WITHIN 5s

Everything as code

Hamelin is a single language for every security operation: parsing, detection, hunting, and investigation. No context switching, no separate syntax to learn.

Full API across all platform functionality

OpenAPI 3.0 spec & Typescript SDK

Remote MCP and agentic CLI

// Built from scratch for AI scale// Your data, in your cloud// Ingest everything, no trade-offs// Built from scratch for AI scale// Your data, in your cloud// Ingest everything, no trade-offs// Built from scratch for AI scale// Your data, in your cloud// Ingest everything, no trade-offs// Built from scratch for AI scale// Your data, in your cloud// Ingest everything, no trade-offs

A security data stack, batteries included

Management plane

Data plane

Not bolted onto anything, no need for $cloud_data_warehouse

Security data, engineered

Start with a question, not with a table name

The pieces fit, and you can see how

Scenario - Windows ClickFix Initial Access

ClickFix C2 Activity Detection - Initial Access and Command & Control

Detection Overview

Detection Logic

One query language for everything

Parsing

Everything as code

Not bolted onto anything,
no need for $cloud_data_warehouse