Investigate threat clusters

  • Updated on Jan 18, 2024
  • Published on Jun 28, 2023

Let’s deep-dive into a cluster to investigate it further. You can do this on two vcerticals:



Investigate clustered leads

image

To investigate the cluster leads further you can use the following tools:

  • Expand the cluster to expose the sub-cluster and the individual leads within it.
  • Click on Recent Lead to open a sample lead that was recently added to the cluster.
  • When many leads are clustered, not all of them are displayed in the expanded cluster. Click on more leads to open a grid of all available leads.



Investigate the cluster details

To investigate the cluster itself further, click on the cluster row to open the Cluster Details window.

image

The Cluster Details window is composed of 4 sections:

  • Basic cluster details
  • Advanced cluster details
  • Lead statistics
  • Lead grid

image



Basic cluster details

image

The basic cluster details section contains the following information:

A. The total number of leads in the cluster
B. The WHAT or WHO detected by the leads in this cluster
C. Quick link to the Cluster Comments panel
D. Triage Booster, displays the amount of time and effort saved by triaging leads in a clustered methodology, compare to a lead-by-lead basis


Advanced cluster details

image

The advanced cluster details section provides more insights into the cluster as a group:

A. Detector - this panel shows the name of the originating detector and its description, as well as the data source tag, if relevant. Click Custom Scoring to view and create custom scoring rules, or Detector Overview to view the detector details and settings.
B. Context - this panel lists the sub-clusters and the context they are based on.
C. Cluster Attributes - the Cluster Attributes panel points out common attributes across all of the clustered leads.
D. MITRE ATT&CK - displays a list of the MITRE techniques and tactics associated with the clustered leads.



Lead statistics

image

The Lead statistics strip provides stats about the clustered leads, including:

A. Status and classification statistics
B. Prevalence across time

📘 Learn more

The statistics also function as a filter for the lead grid below.



Lead grid

image

This last section is essentially a list of the clustered leads that can be filtered and sorted:

A. View toggle - switch between viewing all of the clustered leads throughout the cluster lifespan and viewing only the filtered leads based on the timeframe and filters selected in the original page (Leads page or SOC Queue).
B. Bulk action - mark the checkbox next to leads in the grid and then apply actions in bulk.
C. Filter the list based on free text
D. Use the grid columns and rows to sort and filter data