Understanding Huntress Investigations
We use tons of automation within Huntress to identify legitimate and malicious persistent applications. Despite all the fancy algorithms/machine learning/cool tricks up our sleeve, sometimes automation fails to make a clear distinction if the activity is malicious or benign. Rather than send false to our partners, Huntress Threat Analysts (humans!) step in and perform manual investigations to provide additional scrutiny on potentially malicious footholds and to verify authenticity of installed software.
During an investigation, a forensics expert will analyze the Autorun to determine the correct classification for the persistence mechanism and binary. When an analysis is complete, the analyst will resolve the investigation and—depending on what was found—may change the classification to reflect its actual status.
In this article
Which Host did Huntress Analysts Investigate?
At the moment, we don't currently track/show which hosts an investigation applies to. However, we're currently experimenting with new designs that will display this data. Curious why?
Investigations are performed against all of our partners' normalized data. As a result, a single investigation often applies to dozens of Huntress accounts, organizations, and the agents within them. This host-agnostic investigation benefits the entire Huntress community rather than a single host. When Huntress analysts close an investigation, our software looks up every Huntress account/organization that is impacted by the investigation and links the investigation to the dashboard (but not to the specific hosts).
We've since learned that our partners care about which host an investigation applies to so we're knee deep in the development of this improvement =)
What Happens when an Investigated Autorun is Malicious?
If the result of an investigation changes the classification of an Autorun to malicious, a new infection report will be created for every host that has the malicious Autorun. Once the infection report is completed, it will be delivered as an incident report through your configured integrations (see Managing Huntress Integrations).
Where will I see Investigations for My Organization?
You can see the current number of resolved investigations for your organization on the Organization Dashboard. You will also see the number of investigations started and resolved in the weekly and monthly summary emails.