Summary: Security Operations Center (SOC) Analysts will perform manual investigations which are used to analyze suspicious security signals.
In this article
Where will I see Investigations?
Investigation Process
The Huntress Platform primarily leverages automation to identify suspicious events across the data sources the platform ingests, which includes but is not limited to: autoruns, running processes, Microsoft Defender detections, monitored canary files, Microsoft 365 logins and email rules. In addition to automated detection technology, the Huntress SOC also conducts human powered threat hunts to identify shady hacker tradecraft.
Despite our advanced algorithms and detection technology, sometimes automation fails to make a clear distinction if the activity is malicious or benign. When this happens, Huntress SOC Analysts step in and perform manual investigations to determine malice which significantly reduces false positive reporting.
If malice is found after an investigation is conducted an Incident Report is sent with summary information and steps to remediate. If the user or endpoint activity is deemed legitimate, we close out the alert on your behalf with an investigated Signal that details the reason why no report was generated.
Investigation Outcomes
An investigation will result in one of two outcomes:
- An Incident Report is created if the Signal Investigated is deemed malicious in nature.
- A closed signal is listed in the Huntress portal with a contextual reason as to why the signal was benign in nature and did not need to be reported to your team.
Where will I see Investigations for My Organization?
Signals Investigated can be viewed in a variety of locations in the platform. The Command Center is a great place to get a quick overview of the number of Events Analyzed by the platform and the Signals Investigated from those events. If you want to learn more about the details of a SOC investigation that did not lead to a reported incident head on over to the "accounts / signals" page for details of the events and context as to why they were not reported as an incident.
What are Context Reasons?
In cases where no incident report is generated, the Huntress SOC will provide investigation context to explain why a given signal was closed and not reported. The below are the possible context values and what they mean:
- Pen-testing: This signal was generated by known pen-testing at the partner organization.
- Business Accepted Risk: This signal was generated by system behavior that an administrator of this organization had previously acknowledged and accepted the risks.
- False Positive: After a thorough analysis, this signal was determined to be a false positive. If these signals re-occur, the Huntress Security Operations Center will suppress them from triage until Detection Engineering can refine the detection logic from generating these signals.
- Benign True Positive: This signal was generated correctly due to system behavior, however analysis indicates the activity is benign/non-malicious in nature.
- Previously Reported: The Huntress Security Operations Center previously reported this behavior. This signal was closed to prevent duplicate incident reports.
- Malware Artifact: This signal was generated by artifacts from a past infection which is no longer active. This is not considered an operational risk.
- Backup File: This signal was generated by a file that was backed up which could contain malicious indicators. However, because the file was not executed, there is no perceived operational risk.
- Agent uninstalled: The Huntress agent has been uninstalled. As this endpoint was most likely re-imaged, the signal was closed out. If you believe the agent was uninstalled due to nefarious activity, contact Huntress Support and a SOC analyst will investigate.
- Legacy Autorun Investigation: This signal was closed automatically through a legacy autorun investigation workflow that did not require a context value to be set. If you have questions, contact Huntress Support.