We simulated an attacker operating for 5 days using legitimate Windows tools (PowerShell, Chrome, and remote access). No malware.
On day 5 the attacker made a mistake and triggered an alert.
Result: 52,000 EDR telemetry entries.
The attacker’s activity is in there—but where?
The EDR Console View
In the console, you see hundreds of pages of data like this:
52,000 events. Hundreds of pages. Which ones matter? An analyst has 20 minutes.
Why Manual Review Fails
99.9% of those events are normal. PowerShell scripts run by IT. Scheduled tasks for updates. File access for backups.
Finding the 0.1% that’s malicious requires:
- Knowing what “normal” looks like for every user and system
- Spotting subtle patterns (unusual timing, suspicious file paths, weird combinations)
- Correlating dozens of events to piece together the attack chain
Even skilled analysts miss things—not because they’re careless, but because there’s too much noise.
Enter Automated Investigation Scoring
Investigation platforms solve this by automatically scoring artifacts based on:
- Malware signatures
- Behavioral anomalies
- Threat intelligence
- Deviations from baseline
Instead of reviewing 52,000 events, the analyst focuses on the tens that scored as suspicious or malicious.
The Cyber Triage View
Cyber Triage is an investigation platform with automated scoring. It analyzed the 52,000 events in under 10 minutes and surfaced roughly 50 suspicious items that are investigative clues the analyst needs to see.
You can see here the Defender alerts on Nov 30 were imported and shown with context.
The suspicious items start to reveal other activity in the days prior:
- Non-standard ports
- Remote access software
- Non-standard paths
After reviewing the suspicious items, the analyst can identify:
- Remote Access: AnyDesk was installed as a local service to allow the attacker continued access.
- Data Exfiltration: The Admin share on other internal hosts was accessed to copy files.
- Credential Access: WMI was used to make a copy of the volume shadow to access passwords.
Same data. Different visibility. This attacker activity was in the EDR telemetry, but hard to find.
Why This Matters
EDRs minimize false positives—they only alert on high-confidence threats. But investigators need to see suspicious activity to understand what happened before the alert.
That’s where automated scoring helps: it surfaces the evidence analysts would miss in manual review.
