End to end investigation flow

Understanding the entity risk workflow

Before designing the risk dashboard, I mapped how SOC analysts, threat hunters, and risk engineers actually move from a raw anomaly signal to a documented decision. The friction wasn't in the ML models themselves: it accumulated in the gap between a risk score and an explanation an analyst could act on, and in the dead ends between "this entity looks risky" and an actual investigation.
Engineer
Detection rules & ML jobs raise alerts; the risk engine folds them into entity scores hourly
Analyst
Reviews the Entity Risk Dashboard, ranked by risk
Analyst
Opens the Risk Score Breakdown to see what's driving the number
Hunter
Correlates alerts & threat intel, pivots into Timeline
Hunter
Escalates to a case or closes with reasoning documented

SOC analyst journey

13 steps · 5 pain points, as mapped in research
  • 1Start the shift and open Entity Analytics
  • 2Scan a flat alerts list with no sense of who is actually risky across itPain
  • 3Cross reference host and user names by hand across alerts, logs & threat intel tabsPain
  • 4Open the Entity Risk Dashboard, ranked by risk score
  • 5Select a high risk entity to review
  • 6See a bare risk number with no explanation of why it's highPain
  • 7Open the Risk Score Breakdown panel
  • 8Review which anomaly signals contributed to the score, and how heavily each was weighted
  • 9Wonder whether the score reflects one bad alert or a sustained patternPain
  • 10Check the score history sparkline and trend indicator
  • 11Review the alerts correlated to this entity's score
  • 12Have no natural next step from "this looks risky" to an actual investigationPain
  • 13Pivot into Timeline with one click to investigate further
5 of 13 steps were pain points. The Entity Risk Dashboard and Risk Score Breakdown replaced ad hoc cross-referencing with a ranked, explainable starting point, and a one click Investigation pivot closed the gap between a high score and an actual investigation.

Threat hunter journey

10 steps · 4 pain points, as mapped in research
  • 1Receive a high risk entity flagged by an analyst or the dashboard itself
  • 2Open the entity's risk profile to review full context
  • 3Manually search external threat intel sources for known indicatorsPain
  • 4Review the threat intelligence matches surfaced directly in the risk profile
  • 5Previously had to reconstruct alert correlation by hand across the alerts listPain
  • 6Review the alerts already correlated to this entity's score
  • 7Rebuild search queries in Timeline from scratch with no entity context carried overPain
  • 8Pivot into Timeline with the entity's context already applied
  • 9No structured way to document why an entity was cleared or escalatedPain
  • 10Escalate to a case or close with reasoning attached, closing the loop
4 of 10 steps were pain points. Alert correlation and Threat intelligence integration brought the evidence into the risk profile itself, and the Investigation pivot carried entity context straight into Timeline instead of starting the search from zero.

Risk engineer journey

7 steps · 3 pain points, as mapped in research
  • 1Stand up entity risk scoring for a new environment or data source
  • 2Select which data sources and anomaly job types feed the model
  • 3Changing what fed the score used to mean a request to the data science teamPain
  • 4Launch anomaly detection jobs and monitor initial scoring
  • 5Get pinged by analysts that a change buried real risk under noise from a new sourcePain
  • 6No visibility into how a weighting change behaves before it reaches analystsPain
  • 7Adjust source weighting through self serve tuning controls and confirm the score distribution before it goes live
3 of 7 steps were pain points. Risk score configuration turned tuning into a self serve setting instead of a request to the data science team, with visibility into how a weighting change behaves before it ever reaches analysts.
SOC analyst Threat hunter Risk engineer Select a role to explore its journey