Overview
The auto-investigation process kicks in after the core lead is created during the Detection phase. This process takes the basic lead and enriches it with extra layers of information, including entities, attributes, enrichments, risk score, and more.
The Automatic Investigation process provides extensive security context through cross-correlation and Enrichment of the data. This way, analysts can skip most of the manual investigation work and look at a complete incident picture that’s easy to understand, triage, and act upon at a dramatically accelerated pace.
As part of this phase, you will encounter the following terms:
.png?sv=2022-11-02&spr=https&st=2025-04-19T18%3A27%3A44Z&se=2025-04-19T18%3A42%3A44Z&sr=c&sp=r&sig=H%2FMkcg4kVipaHA4GKg0JebbjqFkj1OZGvMiVvQES1Cw%3D)
Entities
During the auto-investigation process, the lead is analyzed to identify the entities involved in the event, the WHO, WHAT, and WHERE—for instance, the involved employee, SaaS resource, process, etc.
Attributes
Each entity, as well as the lead itself, has attributes used to describe the event in the lead, for instance: domain: hunters.ai, or remote_ip: 10.0.0.1. A lead or entity can have many attributes.
(1).png?sv=2022-11-02&spr=https&st=2025-04-19T18%3A27%3A44Z&se=2025-04-19T18%3A42%3A44Z&sr=c&sp=r&sig=H%2FMkcg4kVipaHA4GKg0JebbjqFkj1OZGvMiVvQES1Cw%3D)
Enrichment
Extra information added to the lead using peripheral data analysis and additional resources. For instance, the geolocation of an involved IP address or the Okta user details of the user involved in the event. Each lead will show a different set of enrichment items, based on the Detector it originates from.
Activity
Extra information added to the lead, focusing on what happened to/on the entity in the time frame close to the event creation. Each lead will show a different set of activity items, based on the detector it originates from.
.png?sv=2022-11-02&spr=https&st=2025-04-19T18%3A27%3A44Z&se=2025-04-19T18%3A42%3A44Z&sr=c&sp=r&sig=H%2FMkcg4kVipaHA4GKg0JebbjqFkj1OZGvMiVvQES1Cw%3D)
Risk score
As part of the auto-investigation process, each lead is analyzed and scored with a risk score, which aims to assess how critical and probable the risk is. The risk score is a calculation of two values: Confidence and Severity and is also based on different risk-scoring rules and logic.
Confidence
The likelihood of the security event being malicious.
Severity
The potential impact and damage of the security event on the organization, if the event is indeed malicious.
Custom scoring
Risk scoring rules you can create on your own, which will affect the final risk score of your leads.
Alert
An alert is a lead that has reached a certain risk threshold and is deemed suspicious enough to be reviewed by a member of the security team. Alerts appear on the SOC Queue page.
Threat clustering
A method of inspecting and triaging leads based on the idea of clustering similar leads into clusters and investigating them as a group, as opposed to lead-by-lead basis.
How does it work?
The Automatic Investigation process relies on the availability of data from multiple data sources. This presents a challenge since some data might not be available when the lead is generated. Furthermore, some advanced Automatic Investigation logic provided out-of-the-box looks for information that explicitly happens after the original event.
For instance, when a potentially malicious process is detected, Hunters collects data on the actions taken by the process after its initial execution. Looking for clues such as dropped suspicious files or network connections that may suggest the presence of a backdoor or exfiltration activity.
To speed up the investigation process, we have split the Automatic Investigation process into two phases:
- Rapid Automatic Investigation - This initial investigation for rapid attack scoping takes only a few minutes to complete and provides analysts with a basic framework and details of the possible threat.
- Advanced Automatic Investigation - On top of the initial basic layer of information, Hunters provides a deep analysis of the threat evolution inside the organization that does not exist at the time of detection, such as the execution tree of a suspicious process, network connections, or compromised user behavior. This layer takes up to an hour to complete as it requires following up on the progression of the threat, and connecting both layers of information together to provide the full picture.
Depending on the availability of data, in some extreme cases, advanced investigations can take up to two hours.
By separating the process into phases, the system is able to provide first data points about the possible threat within minutes, allowing analysts to perform an initial inquiry into the threat while the system continues to enrich this entity with data from across your attack surface to provide greater context and understanding.
With the newly released Rapid Automatic Investigation step in the full investigation process, we will further support smart prioritization of alerts and incidents, and continue reducing the redundant manual work in the triage and investigation phases.
On the Hunters platform
In the initial phase of lead creation, the lead is simply a collection of attributes and their values.
In the second phase of the lead creation process, the automatic investigation process kicks in. The investigation phase is responsible for the curation and prioritization of the threat signals. It extracts the entities involved in the lead, enriches those entities with additional information from many different data sources, and then generates automatic risk scoring and prioritization based on deep analysis of the lead and its entities.
This is what a lead looks like after the automatic investigation process.
The lead summary page contains the main entities involved in the lead, and the final risk score assigned for this lead. We can also see the different scoring models that contributed to the final risk score.
Below we can see a specific entity that was created during the automatic investigation process. Some of the entity's attributes (like the IP address) came from the original lead, while some were enriched from external sources.
For example, the lead's geographical context came from a global IP info datasource, and the IP was also searched in Azure AD activity, in order to provide additional context about the signal - was the IP seen interacting only with AWS, or also with other organizational applications?
📘 Learn more
Read more about the results of the automatic investigation process: