The second stage of the Hunters XDR pipeline is real-time detection of threat signals ingested onto the your security data lake. The Detection Engine is responsible for this stage, using a library of hundreds of detection analytics called Detectors.
There are many different types of detectors, with some utilizing alerts from other security products (referred to as Native Alerts), and some searching for specific TTPs over the raw security data, while others utilize Machine Learning for anomaly detection, and more.
A detector is a logic that aims to detect a specific type of suspicious activity.
Some detectors are rule-based and detect TTPs in the raw security data, while other detectors leverage third party alerts from EDR, IDS, Cloud Security products and more.
In addition, there are Machine Learning detectors that utilize UEBA and anomaly detection to find suspicious signals, and Threat Intelligence detectors that perform continuous IOC scanning over the raw security data.
Hunters XDR comes with a library of hundreds of detectors out-of-the-box that is continuously growing, and with the ability to add your own custom detectors.
A lead is a specific threat signal generated by a detector.
Some detectors are very high-fidelity and each lead they generate most likely signifies a security incident, while the “noisier” detectors can generate tens or even hundreds of leads a month and are commonly used for proactive threat hunting and not for hermetic triage.
As described in the Key Concepts section above, each lead is automatically investigated and receives a score between 0-100.
A hot lead is a lead that received a score higher than 80 and therefore has a high probability of signifying real malicious activity that should be treated as a security incident.
An alert is a lead that indicates a security alert.
It is suggested to include alerts as part of the organizational Security Operations workflow (unlike other leads which are often used mainly for threat hunting purposes).
By default, all leads that originate from third party alerts (e.g. EDR detections) are configured as alerts, as well as leads from selected Hunters detectors that received a high score.
The alerting threshold is configurable and can be adjusted according to your triage workflows.
Below is an example of a lead of the analytic Commandline with Suspicious PowerShell Flags.
On the lefthand side of the lead, are the attributes of the lead and their kind. To the right of the attributes names and kinds, are the actual values of the attributes.
A lead can have many different attributes. Below is the complete list of lead attributes that were a part of the lead presented in the example.