惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cisco Talos Blog
Cisco Talos Blog
V
V2EX
C
Check Point Blog
GbyAI
GbyAI
D
Docker
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
B
Blog RSS Feed
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
Netflix TechBlog - Medium
T
Troy Hunt's Blog
博客园 - Franky
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Security Blog
Microsoft Security Blog
P
Privacy & Cybersecurity Law Blog
WordPress大学
WordPress大学
The Cloudflare Blog
S
SegmentFault 最新的问题
Latest news
Latest news
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
I
InfoQ
博客园 - 【当耐特】
NISL@THU
NISL@THU
A
About on SuperTechFans
T
Tailwind CSS Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Scott Helme
Scott Helme
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
Security Latest
Security Latest
V
Vulnerabilities – Threatpost
Security Archives - TechRepublic
Security Archives - TechRepublic
A
Arctic Wolf
Hacker News: Ask HN
Hacker News: Ask HN
N
News and Events Feed by Topic
IT之家
IT之家
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
SecWiki News
SecWiki News
大猫的无限游戏
大猫的无限游戏
S
Security Affairs
The Register - Security
The Register - Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
L
LINUX DO - 热门话题
T
Tor Project blog

Blog

CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike CrowdStrike Why AI Projects Stall and How CIOs Can Respond | CrowdStrike CrowdStrike Leads 2026 Frost Radar for Cloud Runtime Security CrowdStrike Expands Identity Leadership with OpenID and IDPro CrowdStrike 2026 Report: China Fuels Attacks on Tech June 2026 Patch Tuesday: Updates and Analysis | CrowdStrike CrowdStrike and Zscaler Bring Continuous Identity Security to Zero Trust Access 3 Principles to Safely Scale Agentic AI | CrowdStrike ISO 42001:2023 and the New Reality of Cloud AI Data Risk How to Stop AI-Driven Data Loss | CrowdStrike CrowdStrike and NVIDIA Bring Enterprise-Grade Security to AI Factory CrowdStrike and NVIDIA Collaboration Scales AI-Native Agents Secure Shadow AI at the Control Plane with Falcon for IT CrowdStrike Named Leader in 2026 Gartner Magic Quadrant for Endpoint Protection Shadow AI: The Hidden Risk Expanding Across the Enterprise CrowdStrike Named a Leader in Identity Threat Detection and Response Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet Measuring AI-Enabled Success: 3 Trackable KPIs New Claude Integration Brings Audit Data to Falcon Platform How to Protect Identities and Sessions from Infostealers Now Live: CrowdStrike 2026 Financial Services Threat Landscape Report Falcon AIDR Detects Threats at Prompt Layer in Kubernetes AI Apps May 2026 Patch Tuesday: Updates and Analysis | CrowdStrike CrowdStrike Named a Leader in Gartner Magic Quadrant for Cyberthreat Intelligence CrowdStrike Launches Falcon OverWatch for Defender CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns Tune In: The Future of AI-Powered Vulnerability Discovery Defending Against CORDIAL SPIDER and SNARKY SPIDER CrowdStrike Expands ChatGPT Enterprise Integration CrowdStrike Named a Leader in 2026 Frost & Sullivan Radar for CNAPP CrowdStrike Expands Real-Time CDR to Google Cloud CrowdStrike Falcon Cloud Security Delivers 264% ROI CrowdStrike Falcon Platform Achieves 441% ROI in Three Years CrowdStrike Introduces Shadow AI Visibility Service How Defenders Must Respond to Frontier AI | CrowdStrike Frontier AI for Defenders: CrowdStrike and OpenAI TAC April 2026 Patch Tuesday: Updates and Analysis | CrowdStrike How CrowdStrike Accelerates Exposure Evaluation Against Threats | Blog STARDUST CHOLLIMA Likely Compromises Axios npm Package Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Detecting CVE-2026-20929: Kerberos Relay Attack via DNS CNAME Abuse How Charlotte AI Agentworks Fuels Security's Agentic Ecosystem CrowdStrike Flex for Services Expands Access to Elite Security Expertise Falcon Data Security Secures Data Wherever It Lives and Moves CrowdStrike Advances CNAPP with Adversary-Informed Risk Prioritization CrowdStrike Services and Agentic MDR Put Agentic SOC in Reach
AI Threat Detection with Automated Leads | CrowdStrike
Daniel Brown - Thomas Hobson - Amogh Pradeep · 2026-05-11 · via Blog

Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections

How analysts can use the Falcon platform’s new Automated Leads functionality to slash triage time and investigate attacks.

Last summer we introduced Automated Leads, a transformative approach to threat detection designed to surface the subtle signs of an attack before it turns into a full-blown breach. It’s powered by CrowdStrike® Signal (distinct from SGNL) and delivered via the CrowdStrike Falcon® platform.

Since that launch, the goal has remained the same: to move beyond the limitations of traditional alerting and give analysts a head start on detecting the most sophisticated adversaries.

Today, we’re peeling back the curtain on how the new family of self-learning AI models that generates Automated Leads works, and announcing a powerful new capability to instantly isolate unusual processes and anomalous remote monitoring and management (RMM) tool usage that would otherwise be lost in the noise.

The Challenge: Why More Alerts Isn’t the Answer

Improving detection is a core driver for the CrowdStrike Advanced Research team, which is behind the development of the AI models powering Automated Leads. For years, the industry has followed a predictable cycle:

  1. Create a rule for a known malicious feature.
  2. Deploy it.
  3. Triage the resulting alerts.
  4. Tune out the high-volume noise.

The consequence? “Noisy” rules, which might actually trigger on real malicious activity, are suppressed because there are too many for human triage. Malicious activity can slip through the cracks.

On the Falcon platform, we see millions of indicators, or events that don’t quite reach the threshold of a traditional detection. In a complex environment, we might see 10,000 such indicators in a single hour. They are too numerous for a human to review, but with the right algorithmic approach, they are the key to finding the needle in the haystack.

How Automated Leads Works: Scoring and Correlation

The AI engine powering Automated Leads solves this by shifting the focus from individual alerts to entity-based scoring. Instead of treating every event as a binary “good” or “bad” alert, the engine assigns a score to every indicator and detection event. These scores are essentially an initial prioritization. The engine then links these events by entity (such as an endpoint).

When multiple positively scoring events occur on the same host, their scores are summed. This is best explained by visualizing how the engine views indicator occurrences over time:

Figure 1. Visualizing event scoring.

Figure 1. Visualizing event scoring. While an indicator may be a regular occurrence on most endpoints (receiving a zero score), the engine identifies and scores instances that have never been seen on a specific host before.

By identifying and filtering down to just these anomalous examples, the engine can surface leads earlier in the attack chain and reveal special kinds of Automated Leads we refer to as “zero detect” leads. This is malicious activity that hasn't triggered a traditional alert but is clearly suspicious when viewed as a collective cluster of behaviors. 

Real-World Analysis: The RMM Hunting Ground

To see this in action, consider how the engine powering Automated Leads handles RMM tools. Adversaries love RMM tools because they allow them to “live off the land,” essentially blending in with existing approved tools already on the endpoint. But for an analyst, sifting through every RMM execution in a large enterprise is impossible.

In a recent internal analysis, the engine monitored thousands of hosts. The vast majority of activity was the organization's standard IT RMM tool — a familiar, low-score constellation of legitimate work.

Figure 2. RMM executions in environment. Each color represents a different RMM tool. The score on the y-axis represents our level of suspicion of the execution.

Figure 2. RMM executions in environment. Each color represents a different RMM tool. The score on the y-axis represents our level of suspicion of the execution.

The engine flagged a single execution of MeshAgent, a tool never seen before in that specific environment. While a lone RMM execution is hard to convict, the engine immediately correlated it with other “quiet” behaviors on that same host: a command prompt launch, registry queries, and local network probing.

Figure 3. Indicators of attack (IOAs) triggering on the victim host. IOAs above the line indicate a contribution to the Automated Lead’s confidence.

Figure 3. Indicators of attack (IOAs) triggering on the victim host. IOAs above the line indicate a contribution to the Automated Lead’s confidence.

None of these events would have raised an alarm individually. The registry query, for instance, fired hundreds of times a day across the environment. But because it had never occurred on that specific host, the engine’s confidence score spiked.

New Innovation: Investigating Unusual Processes

Building on this logic, we are thrilled to announce a new capability integrated directly into Automated Leads: Investigate Unusual Processes.

Figure 5. Example of an Automated Lead

Figure 5. Example of an Automated Lead

Analyzing every process created during a suspicious window is a massive time sink. A typical endpoint creates tens of thousands of processes per day. A key observation is the vast majority of this process creation activity is from routine, repetitive, and benign activity. This typically holds true even for endpoints that are compromised by adversaries. The malicious processes created are a small fraction intertwined with benign, largely automated creations.

In order to rapidly analyze process creations during suspected attacks at scale, we needed a way to filter out this routine activity. To solve this, we’ve introduced the ProcessAncestryInformation (PAI) event. This feature uses historical observations of an endpoint to flag only the most unusual process creations — typically just 1-3% of all process creations. For example, during a recent attack spanning two hours, we observed approximately 5,000 processes created, of which 75 were flagged as unusual, triggering PAI events. These select processes contained subtle but unusual attacker activity including a legitimate RMM tool, a command prompt, and the ping utility.

Figure 6. ProcessAncestryInformation event triggered for unusual process creations

Figure 6. ProcessAncestryInformation event triggered for unusual process creations

How to Use It

This feature is available now for all customers within the Automated Leads dashboard:

  1. Locate a Lead: Click on the three-dot menu (⋮) next to the Status of any Automated Lead.
  2. Pivot to Advanced Event Search: Select “Investigate unusual processes.”

Figure 7. Click “Investigate unusual processes” from within the menu of any Automated Lead in order to see the unusual processes that were created during that lead

Figure 7. Click “Investigate unusual processes” from within the menu of any Automated Lead in order to see the unusual processes that were created during that lead

This will take you to Advanced Event Search (AES), pre-populated with PAI events joined with ProcessRollup2 data. This gives you the full picture — including command lines and ancestor processes — without forcing you to sift through thousands of benign events.

Always-On Intelligence

Investigate Unusual Processes is available across Windows, macOS, and Linux. Best of all, it is always active. While it’s integrated into Automated Leads for ease of use, you can search for the ProcessAncestryInformation event in Advanced Event Search for any endpoint at any time to see what’s truly out of the ordinary in your environment.

By automating the "boring" work of filtering routine noise, we’re empowering teams to quickly focus on the activity that’s unusual in their environment.