About Attributes
An attribute is a specific piece of information that describes a particular aspect of an object or Entity. In Hunters, an attribute is used to describe different aspects of Leads or of Lead Entities. A Lead can have several attributes, such as domain, remote_ip, etc.
Each attribute has a value. For instance:
domain: hunters.ai
remote_ip: 10.0.0.1
In this example, one of the lead’s attributes is the domain attribute whose value is ‘hunters.ai’.
Attributes are used to provide you with more details about the lead. Each detector has a different set of attributes they can provide to each lead, which means that each type of lead will display a different set of attributes. For instance, a lead for an anomalous execution of some kind will include a Commandline attribute, specifying the executed command line while leads for failed login attempts or suspicious role assignments will include the Role name attribute or the user ID attribute.
📘 Learn more
Attributes are not only provided per lead but also included in the details provided per lead Entity. For instance, in a lead for a user role assignment, one of the lead entities is the Caller IP Address. This entity in itself has attributes that provide more information about the IP address.
Working with Attributes
Attributes are mostly used to provide additional information regarding the lead, or entity, but can also be the basis of an additional investigation into the matter. This section will describe how you can use attributes to continue investigating the lead.
View Attributes
To view attributes:
- Open the SOC queue (Security Operations > SOC Queue) or leads page (Threat Hunting > Leads).
- Locate the lead you want to investigate and click to open it.
From the Lead Details panel, scroll down to see the Attributes section. By default, the list shows only the top attributes for this lead.
Click the Attributes section title to show all of the lead details.
Continue Investigating an Attribute
To continue investigating an Attribute:
Click the arrow next to the attribute you want to work on.
A menu opens.
Click on one of the following options, depending on your needs:
Copy to Clipboard - copy the attribute value to paste into any other page or program for further investigation.
Annotate Asset - annotate an asset to clarify which asset it is for future reference.
Add Asset Tag - tag the asset for a clearer understanding of the risk. Learn more here. This option is available only for some types of attributes.
Investigate - look up this attribute value across your entire raw data.
Add Custom Scoring - add a custom scoring rule for leads including this or similar attribute values. Learn more here.
📘 Learn more
Commandline attributes can be further investigated using the Ask GPT option.
Click Ask GPT to learn what GPT AI has to say about the command line attribute value and its purpose.
Note:
This new GPT AI capability is powered by Microsoft Azure OpenAI Service under Microsoft Terms and Hunters SaaS Terms of Service.
All command lines investigated with this service will be made available to Microsoft Azure for abuse detection purposes and are not otherwise used to train the underlying GPT model. To read more on how the data is processed, used, and stored by Microsoft - see here.
Due to the current nature of generative AI technology, any output it produces may be inaccurate, outdated, or incomplete and requires careful consideration. Using this new capability and relying on its output is made at your own risk.