Detection Engine

The second stage of the Hunters XDR pipeline is real-time detection of threat signals ingested onto the your security data lake. The Detection Engine is responsible for this stage, using a library of hundreds of detection analytics called Detectors.
There are many different types of detectors, with some utilizing alerts from other security products (referred to as Native Alerts), and some searching for specific TTPs over the raw security data, while others utilize Machine Learning for anomaly detection, and more.

Detector

A detector is a logic that aims to detect a specific type of suspicious activity.
Some detectors are rule-based and detect TTPs in the raw security data, while other detectors leverage third party alerts from EDR, IDS, Cloud Security products and more.
In addition, there are Machine Learning detectors that utilize UEBA and anomaly detection to find suspicious signals, and Threat Intelligence detectors that perform continuous IOC scanning over the raw security data.
Hunters XDR comes with a library of hundreds of detectors out-of-the-box that is continuously growing, and with the ability to add your own custom detectors.

Lead

A lead is a specific threat signal generated by a detector.
Some detectors are very high-fidelity and each lead they generate most likely signifies a security incident, while the “noisier” detectors can generate tens or even hundreds of leads a month and are commonly used for proactive threat hunting and not for hermetic triage.

Hot Lead

As described in the Key Concepts section above, each lead is automatically investigated and receives a score between 0-100.
A hot lead is a lead that received a score higher than 80 and therefore has a high probability of signifying real malicious activity that should be treated as a security incident.

Alert

An alert is a lead that indicates a security alert.
It is suggested to include alerts as part of the organizational Security Operations workflow (unlike other leads which are often used mainly for threat hunting purposes).
By default, all leads that originate from third party alerts (e.g. EDR detections) are configured as alerts, as well as leads from selected Hunters detectors that received a high score.
The alerting threshold is configurable and can be adjusted according to your triage workflows.

Lead Example

Below is an example of a lead of the analytic Commandline with Suspicious PowerShell Flags.

On the lefthand side of the lead, are the attributes of the lead and their kind. To the right of the attributes names and kinds, are the actual values of the attributes.

A lead can have many different attributes. Below is the complete list of lead attributes that were a part of the lead presented in the example.

Name (Kind)

Value

agent_id (agent_id)

ffedcac34a6a49493f32aaa1c428272a

data_type (data_type)

crowdstrike-raw-events

device_name (hostname)

Null

device_platform (str)

WINDOWS

agent_source_pid (cs_pid)

3666611521121

windows_user_sid (windows_user_sid)

S-1-5-21-1005550150-511333441-1544361121-8103

event_simple_name (str)

ProcessRollup2

generic_event_type (str)

create_process

parent_process_uid (agent_pid)

Null

target_process_uid (agent_pid)

3661136641531

windows_session_id (str)

3

parent_process_name (binary_name)

wscript.exe

parent_process_path (binary_path)

Null

target_process_name (binary_name)

powershell.exe

target_process_path (binary_path)

\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

specific_source_type (specific_source_type)

crowdstrike_raw_events

parent_process_os_pid (raw_pid)

Null

target_process_os_pid (raw_pid)

7341

initiating_process_uid (agent_pid)

3666611521121

initiating_process_name (binary_name)

powershell.exe

initiating_process_path (binary_path)

Null

parent_process_username (os_username)

Null

target_process_username (os_username)

Null

agent_external_ip_address (ip)

13.3.2.54

initiating_process_os_pid (raw_pid)

Null

parent_process_commandline (commandline)

Null

parent_process_hash_sha256 (hash_sha256)

Null

target_process_commandline (commandline)

"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1

target_process_hash_sha256 (hash_sha256)

908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53

initiating_process_username (os_username)

Null

parent_process_creation_time (timestamp)

Null

target_process_creation_time (timestamp)

Null

initiating_process_commandline (commandline)

Null

initiating_process_hash_sha256 (hash_sha256)

Null

initiating_process_creation_time (timestamp)

Null

parent_process_windows_integrity (str)

Null

target_process_windows_integrity (str)

Medium

initiating_process_windows_integrity (str)

Null