During the Auto investigation process, the system identified the Entities involved in the lead. These entities are then enriched with extra layers of data. There are two types of data added to the entities at this stage:
- Enrichments - extra information added to the entity using peripheral data analysis and additional resources. For instance, the geolocation of an involved IP address or the Okta user details of the user involved in the event.
- Activity - extra information added to the lead, focusing on what happened to/on the entity in the time frame close to the event creation.
Each type of entity has a different set of enrichments and activities defined. Local users, for instance, will show enrichments regarding the user name, Google account, etc, while Hosts will show IP geo information of the host, device users, etc.
Some enrichments and activities include a link to an information grid, listing all of the instances of the described action.
Click on the grid icon to show the full grid.
Explore enrichments
Enrichments will provide you with more information about the entity, depending on its type and on the available information from your connected data sources. For instance, the geolocation of an involved host or the Okta user details of the user involved in the event.
Let's investigate a real-life example. The detector 'Execution of Netcat' detected the following event: 'Execution of Netcat network tool with command line...'
Deep-diving into the involved entities we can see the local user involved in the event is Anton.
Scrolling down to the Enrichment section, we can see the enrichments added to the entity Anton are: Organizational Local Username Creation Prevalence, G Suite User Details, Username System and Domain Info, and more. Under each of these items, Hunters provides information items. For instance, under G Suite User Details, we can see that Anton is not an Admin user, is not a suspended user, and it's been 406 days since his Google account was created.
Explore activities
Activities will show you what happened to/on the involved entity close to the time of the event. This can be the parent process tree or command history of a process executed in the event, or a local user's G Suite activity.
Continuing with our example, Hunters shows more information regarding the activity of Anton.
Scrolling down to the Activity section, we can see the activities added to the entity Anton are: User Logon History, G Suite Activity Statistics, Last Okta Sessions from Email, and more. Under each of these items, Hunters provides information items. For instance, under User Logon History, we can see that Anton's first and latest login was on July 3rd 2023.