After the lead is enriched, it becomes quite a complex piece of information. While it's represented as one line in the Leads table (or the SOC Queue), clicking on it will open the Lead Details panel, which includes all of the information Hunters could gather about the detected incident and its periphery.
To simplify things, here are the different ways to view leads on Hunters and the information provided with it:
Lead row
The lead row appears in the SOC Queue and on the Leads page. When clustered view is active, you might need to expand the cluster levels to see the lead row itself.
Here's a list of the information displayed in the lead row:
Lead Risk score - the lead's risk score is displayed in color.
Event date and time - the date and time of the event described in the lead.
Detector name - the origin of the detection: the name of the detector that made the detection.
Detected event - what was detected by the detector.
Data source tag - the tag assigned to the data flow that is involved in this detection. Learn more here.
Lead assignee - the name of the team member assigned to the lead.
Lead classification - the classification provided to the lead (Malicious, Benign or Unknown).
Lead status - the current status of the lead.
Lead details panel
Upon clicking on the lead row, the Lead details panel opens. It includes the following sections:
Lead tab menu - a list of tabs, each representing a drill-down into different entity of the lead.
Tab content - the tab content section changes depending on the selected tab.
The first tab of the lead details panel will always be a Summary tab, which show a summary of the lead's details.
💡Tip
Click the lead's expand icon to open an expanded page of the lead.
Lead tab menu
Leads that went through the auto-investigation process will show several tabs. The first will be the lead summary tab (see below), and those after it will be drill-down tabs into each of the involved Entities.
The content of the panel changes based on the selected tab.
Lead summary tab
The first tab in the leads panel is a summary of the lead itself, including basic information it's Attributes, the involved entities, and more.
Here's a list of the information displayed in the lead summary tab:
Basic details:
Risk score and detection time - the lead's risk score is displayed in color and next to it the date and time of the detection.
📘Learn more
Click here to learn more about risk score.
Detected activity - the action that was detected by the detector, or what actually happened.
Detector and table name - the origin of the detection: the name of the detector that made the detection and the name of the raw data table involved. This section will also display the data source tag, if relevant.
Story and Comment buttons - click these to open the relevant Story, or to open the discussions panel for this lead, respectively.
Entities summary - a quick view of the who, what and where involved in this incident. Each of the entities in this panel will also have deep-dive tab for itself, including more information about the entity.
Learn more
Click here to learn more about entities.
Lead Risk level - this will display the risk level of the lead, as well as how it was calculated.
Lead Confidence level - the final Confidence level and what affected it.
Lead Severity level - the final Severity level and what affected it.
Lead Attributes - a list of the attributes attached to this lead.
📘Learn more
Click here to learn more about attributes.
MITRE Techniques - a list of MITRE techniques employed in this incident.
📘Learn more
Click here to learn more about MITRE techniques.
Entity tab
Each entity is developed into its own tab, showing all of the relevant information gathered about the entity at hand. It includes the entity attributes, Enrichments and activity.
📘Learn more
Click here to learn more about entities.