Each lead contains attributes. Attributes are elements of a lead, and hold information regarding that lead, whereby that information is used to understand what took place as part of the lead, as well as for automatic investigation (i.e. Drilldowns) to be run as part of the pipeline. An attribute may sometimes also be referred to as an Entity, usually when referring to correlations on the Hunters Graph - since in effect, every lead attribute serves on an entity and is inserted onto the graph, then being used for correlation.
For example, as seen below - a lead for the Detector PowerShell Outgoing Connection with New Commandline contains the hostname of the related device, along with the IP address of that device at the same same time, the domain name that was requested, the requested domain’s IP address, and more.
Each attribute is comprised of three different fields:
Kind (e.g., ip)
Name (e.g., local_ip)
Value (e.g., 10.0.0.1)
A Drilldown is an single automatic investigation that in simple terms “asks a question, and fetches the answer for it”. There are hundreds of different drilldowns, and each is set to run on a specific kind. Some Drilldowns run on kind IP, while some on other kinds like Hostname or Domain.
An asset tag is a piece of knowledge about a certain attribute or entity, and can be leveraged during the investigation process.
Tags are created in three different ways:
Manual tagging - using the Hunters UI
ITAM-based tagging - if your organization is using an asset management platform that is supported by Hunters, the knowledge about the assets there can be integrated in the Hunters platform
Automatic data-driven tagging - out-of-the-box detections of certain assets by Hunters. For example, EDR data is used to automatically detect Domain Controllers so you don’t need to manually tag them.
Each tag also contains a sensitivity level that is used as part of the investigation, so for example leads on Domain Controllers will receive a higher-than-usual score, while leads that occurred in a cloud “lab account” can receive a lower-than-usual score.
After the extraction and enrichment of all attributes and entities in the lead, each lead receives a score ranging from 0-100,.
The score is based on all of the information accumulated from the lead’s auto-investigation, and is calculated in layers.
The first layer is the detector-specific scoring model. Each detector has a scoring model based on its attributes and investigation flow, with the most basic model being simply the detector’s average confidence and maliciousness, and the more advanced models containing complex heuristics over the lead’s attributes.
The other layers are generic scoring layers that modify the detector’s base score.
For example, the “Organizational Known IP” scoring layer receives as input IP addresses that were part of the lead, and specifies if they are known IP addresses commonly used by the organization, and alters the final score accordingly.