A standout workstation in a sea of security events revealed itself through a 3D visualization of logs, highlighting the challenge many Security Operations Centers (SOCs) face: identifying patterns amid millions of alerts. The BOTS v2 dataset, which includes 100 data sources and generates vast amounts of logs, provides a classic case study. Attackers can use legitimate credentials and blend in with normal traffic, making detection difficult. In this scenario, no single rule could catch the compromise, but analyzing the overall patterns of activity—such as touching multiple systems and unusual timing—uncovered the threat. Using the Time-Terrain-Behavior (TTB) framework, the author illustrates how to transform security data into a 3D model. Normal workstations follow predictable patterns, while compromised ones act erratically. In the BOTS v2 analysis, one workstation became an outlier, showing activity across 11 different security tools, operating in 12 distinct time contexts, and performing 13 or more actions—far beyond the norms of 3-5 tools and 4-6 time contexts typical for regular workstations. This method allowed for the identification of Amber's workstation without prior knowledge of its behavior. The TTB framework has gained traction in the security community, with MITRE recognizing its value in understanding threat actor movements. However, many implementations remain theoretical. The author applies TTB practically to demonstrate its effectiveness in detecting unusual behaviors. By analyzing a full 30-day period without filtering for known indicators, they ensure the approach mimics real-world environments where attackers' techniques are unknown. The article outlines a five-step process for implementing TTB, focusing on transforming categorical data into numerical metrics, making the visualization of unusual behavior practical and actionable for security teams.