Overview
A lead refers to a potential security incident or threat that has been identified through security monitoring activities or other sources of security intelligence.
Hunters activates a growing list of Detectors, running on your raw data, whose purpose is to identify suspicious actions that occurred in your system. Each detector is looking for a specific suspicious action, such as execution of critical processes, access to sensitive files, etc. When such an action is identified by a detector, a lead is created.
All of the detected leads appear on the Leads page (Threat Hunting > Leads), while only the critical ones will become an Alert and will appear in the SOC Queue page (Security Operations > SOC Queue).
Lead maturity process
In the initial phase of lead creation, the lead is simply a collection of attributes and their values.
In the second phase of the lead creation process, the automatic investigation process kicks in. The investigation phase is responsible for the curation and prioritization of the threat signals. It extracts the entities involved in the lead, enriches those entities with additional information from many different data sources, and then generates automatic risk scoring and prioritization based on deep analysis of the lead and its entities.
This is what a lead looks like after the automatic investigation process.
The lead summary page contains the main entities involved in the lead, and the final risk score assigned for this lead. We can also see the different scoring models that contributed to the final risk score.
Below we can see a specific entity that was created during the automatic investigation process. Some of the entity's attributes (like the IP address) came from the original lead, while some were enriched from external sources.
For example, the lead's geographical context came from a global IP info datasource, and the IP was also searched in Azure AD activity, in order to provide additional context about the signal - was the IP seen interacting only with AWS, or also with other organizational applications?
