State-of-the-art solutions for threat detection focus automatically on the actual threats and the notification thereof. The tremendous amount of data that is not relevant in this context and usually overwhelm the internal security specialists must be ignored or abstracted. Because the warnings are based on anomalies - and not, as with conventional protective measures on all normal output behaviour, the total number of warnings and of false positive results are greatly reduced . The information in a warning is presented visually and easy to use directly in the context of an event. Investigators can then pursue their analysis focused on these warinings which also allow digging into the rood causes in order to clarify whether these are justified or not.