Did you know SAM can map a violation against MITRE? Simply ask:
Map every alert in this incident to a MITRE ATT&CK technique and sub-technique. Then tell me which tactic phase is most heavily represented and what that implies about attacker intent.
And SAM will produce an analysis for you like below
What have you used SAM to do? Did it save you time?