About Entities
An entity refers to any object or system that can be targeted by an attacker or that can participate in a security event. Entities can include devices, applications, networks, users, and data.
Entities are often classified according to their level of criticality to an organization's operations, with critical entities being those that are essential to maintaining business continuity and the security of sensitive data. By identifying and categorizing entities, organizations can better understand their cybersecurity risk profile and prioritize their security efforts accordingly.
Entities are also a key concept in security information and event management (SIEM) systems, which collect and analyze security-related data from across an organization's infrastructure to detect and respond to security incidents. SIEM systems use entities as a means of organizing and correlating security events, which helps security teams identify patterns and anomalies that may indicate a security threat.
Entities on Hunters
Hunters separates the involved entities into 3 groups:
Who - the user identity involved in the incident. For instance, a user name, user email address, Okta identity, source client, etc.
What - the malicious intent or what happened in the incident. For instance, a process was run or permissions given.
Where - refers to where the the incident occurred, on which device. For instance, host name, local host, etc.
Each of the lead Entities is further investigated and enriched with data from additional sources. The investigation results appear in a dedicated tab for each entity, under the Lead Details panel.
Working with Entities
Hunters provides a summary of the involved Entities in the Lead Summary page.
View the lead's entities
To view the lead's entities:
- Open the SOC queue (Security Operations > SOC Queue) or leads page (Threat Hunting > Leads).
- Locate the lead you want to investigate and click to open it.
From the Lead Details panel, scroll down to see the Entities section.
📘 Investigation On-Demand
If you feel like information is missing from the lead or want to refresh the data, you can manually initiate an auto-investigation to complete the picture.
To manually initiate an auto-investigation:
Open the lead and click the event timestamp.
The Lead Timeline opens.
Scroll down to the Auto-Investigation indication, and click Run Again.
.png?sv=2022-11-02&spr=https&st=2025-04-19T21%3A02%3A45Z&se=2025-04-19T21%3A14%3A45Z&sr=c&sp=r&sig=niqhxgGlyisGI32uasafrOSl%2F%2FqP0LtHmm0cQPZ%2B0Qo%3D)
Note:
You can run Investigation On-Demand up to 3 times per lead and only after at least 20 minutes have pased since the last invstigation was completed.
Continue investigating entities
Each of the involved entities in the Entities panel can be further investigated under its respective tab.
To continue investigating Entities:
From the Lead details panel, select one of the Entity tabs to explore this entity further.
📘 Attributes, Enrichments and Activity
Each Entity tab contains three sections, providing complementing information about the Entity:
Attributes - this section displays specific data points describing a particular aspect of the Entity.
Enrichments - additional context regarding the entity, provided in addition to raw data.
Activity - peripheral information about the entity that might be pertinent to the incident, such as a user's login history in the relevant timeframe, child processes that ran in addition to a suspicious process, host logon history, etc.