View leads

You can view leads on Hunters in 2 locations: the SOC Queue and the Leads page. While the Leads page displays a complete list of leads depending on the selected timeframe, the SOC Queue will display only leads that have reached a specific threshold rendering them more pressing or critical.

On the leads page

On the Leads page, leads are presented in a nested methodology in the following structure:

• Detector
  • Threat cluster
    • Context (optional)
      • Lead

To view leads on the Leads page:

1. Navigate to Threat Hunting> Leads.
   
2. Use the timeframe filter from the upper bar to show only leads in a specific timeframe.
3. Use the Leads page filters and sorting options to show only leads answering a specific set of criteria.
   
4. To view leads, expand the detector and cluster levels to expose the leads below it, and then click the lead row to open the Lead details panel.
   

On the SOC Queue

The SOC Queue displays only leads that have reached a specific threshold rendering them more pressing or critical. This setting can be changed using the Alert generation settings.

You can currently use the SOC Queue to view leads in 2 viewing methods: Clustered and Unclustered. When using Clustered view, all of the leads in the queue will be aggregated into threat clusters and will not appear individually.

To view leads on the SOC Queue:

1. Navigate to Security Operations > SOC Queue.
   
2. Use the timeframe filter from the upper bar to show only leads in a specific timeframe.
3. Use the SOC Queue filters to show only leads answering a specific set of criteria. You can filter by assignee, status, and data source.
   
4. Continue according to the selected view:
   • Clustered - to view leads, expand the cluster level to expose the leads below it, and then click the lead row to open the Lead details panel.
     
   • Unclustered - click on any lead row to open the Lead details panel.