Thanks for an informative article. Can you hightlight a bit how your approach is different from RBA? To me, the principle looks pretty much similar.
Also with the power of correlation, does it imply that threat detector can write "loose" logic with wider net to capture better malicious events (of course more FPs, but aotomic alert fatigue should be handled by the security alert model)?