View threat clusters

You can view threat clusters on Hunters in 2 locations: the SOC Queue and the Leads page.

On the Leads and SOC Queue pages, clusters display leads based on the timeframe selected from the platform’s Timeframe filter.

On the leads page

Detector aggregation

The Leads page shows all clusters relevant to the selected timeframe and other filters, grouped by detector. Each aggregation of clusters provides information about the clusters below it:

A. The detector name
B. The raw data table from which the data is derived
C. Number of clusters originating from this detector
D. Total number of leads originating from this detector
E. Risk score. The risk score displayed here is the top risk score of the most severe lead in the view.
F. Break down of lead prevalence over time, based on the selected timeframe and filters
G. Triage Booster, displays the amount of time and effort saved by triaging leads in a clustered methodology, compare to a lead-by-lead basis
H. Quick link to the detector settings
I. A cluster

Cluster

Under the detector aggregation, you can find a row for each cluster. Here’s a breakdown of the information displayed on the cluster row:

A. The cluster risk score.

📘 How is it calculated?

To stay on the safe side, the cluster risk score is the most severe risk score in the cluster.

B. The WHAT or WHO detected by the leads in this cluster
C. The current status of the cluster

📘 How is this calculated?

The cluster status is an aggregative view of the statuses within the cluster. This means that if all leads are Open, the cluster status will also be Open. If some leads are open and some are WIP, the cluster status will show both statuses, etc.

D. The number of leads in this cluster, based on the timeframe selected. In parentheses you’ll find the total number of leads from the past 30 days, regardless of the selected timeframe.
E. Quick link to open a sample leads that was recently added to the cluster
F. Timeframe in which the cluster was first and last seen
G. The detector name and data source
H. The data source tag added to the data flow involved in this cluster. Learn more here.
I. Triage Booster, displays the amount of time and effort saved by triaging leads in a clustered methodology, compare to a lead-by-lead basis
J. A sub-cluster, based on WHERE the action in the lead happened or WHO it happened to. In other words, the context in which the threat occurred.
K. A lead

On the SOC Queue

You can currently use the SOC Queue to view leads in 2 viewing methods: Clustered and Unclustered.

To use the clustered view, switch the view toggle to Clustered. You can also adjust the timeframe filter to include older Alerts that will be clustered, and use the sort and filter options to customize the queue as needed.

After switching to the Clustered view, you will see all clusters based on the selected timeframe and filters applied. Each cluster row includes the following items:

A. The cluster risk score.

📘 How is it calculated?

To stay on the safe side, the cluster risk score is the most severe risk score in the cluster.

B. The WHAT or WHO detected by the leads in this cluster
C. The current status of the cluster

📘 How is this calculated?

📘 Note

The information presented in the cluster row is limited by any applied filters.

🚀 About the Triage Booster

Working with threat clustering improves your efficiency and reduces time spent on triage and investigation. The Triage Booster panel in the SOC Queue showd how much effort and time you are saving by triaging clusters and not leads.

How is this calculated?

Efficiency boost - the calculation of this metric is based on the ratio of the number of leads and the number of clusters in the selected timeframe: 1 - Count of Clusters / Count of leads
Time saved - the calculation of this metric is based on an estimated time to triage of 15 minutes and the delta between th number of leads and the number of clusters in the selected timeframe: Time to triage one lead (15 minutes) * (Count of leads - Count of Clusters).