AI Threat Detection with Automated Leads | CrowdStrike BLOG Featured Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report May 14, 2026 Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications May 13, 2026 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs May 12, 2026 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections May 11, 2026 Recent Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Category Agentic SOC How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security 02/10/26 Cloud & Application Security 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection Threat Hunting & Intel 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 CrowdStrike Launches Falcon OverWatch for Defender 05/05/26 Tune In: The Future of AI-Powered Vulnerability Discovery 05/01/26 Endpoint Security & XDR 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management 04/01/26 Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities 03/11/26 Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Frontier AI Is Collapsing the Exploit Window.
Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security 02/26/26 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication 02/12/26 CrowdStrike to Acquire Seraphic to Secure Work in Any Browser 01/13/26 Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 Exposing Insider Threats through Data Protection, Identity, and HR Context 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched 03/10/26 Securing AI CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring 04/28/26 New CrowdStrike Innovations Secure AI Agents and Govern Shadow AI Across Endpoints, SaaS, and Cloud Secure Homegrown AI Agents with CrowdStrike Falcon AIDR and NVIDIA NeMo Guardrails 03/19/26 Introducing "AI Unlocked: Decoding Prompt Injection," a New Interactive Challenge Data Security Falcon Data Security Secures Data Wherever It Lives and Moves Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Q&A: How Mastronardi Produce Secures Innovation with CrowdStrike 02/14/25 Start Free Trial How analysts can use the Falcon platform’s new Automated Leads functionality to slash triage time and investigate attacks.
Daniel Brown - Thomas Hobson - Amogh Pradeep Endpoint Security & XDR • Last summer we introduced Automated Leads , a transformative approach to threat detection designed to surface the subtle signs of an attack before it turns into a full-blown breach. It’s powered by CrowdStrike® Signal (distinct from SGNL ) and delivered via the CrowdStrike Falcon® platform. Since that launch, the goal has remained the same: to move beyond the limitations of traditional alerting and give analysts a head start on detecting the most sophisticated adversaries.
Today, we’re peeling back the curtain on how the new family of self-learning AI models that generates Automated Leads works, and announcing a powerful new capability to instantly isolate unusual processes and anomalous remote monitoring and management ( RMM ) tool usage that would otherwise be lost in the noise. The Challenge: Why More Alerts Isn’t the Answer Improving detection is a core driver for the CrowdStrike Advanced Research team, which is behind the development of the AI models powering Automated Leads.
For years, the industry has followed a predictable cycle: Create a rule for a known malicious feature. Deploy it. Triage the resulting alerts. Tune out the high-volume noise. The consequence? “Noisy” rules, which might actually trigger on real malicious activity, are suppressed because there are too many for human triage. Malicious activity can slip through the cracks. On the Falcon platform, we see millions of indicators, or events that don’t quite reach the threshold of a traditional detection.
In a complex environment, we might see 10,000 such indicators in a single hour. They are too numerous for a human to review, but with the right algorithmic approach, they are the key to finding the needle in the haystack. How Automated Leads Works: Scoring and Correlation The AI engine powering Automated Leads solves this by shifting the focus from individual alerts to entity-based scoring. Instead of treating every event as a binary “good” or “bad” alert, the engine assigns a score to every indicator and detection event.
These scores are essentially an initial prioritization. The engine then links these events by entity (such as an endpoint). When multiple positively scoring events occur on the same host, their scores are summed. This is best explained by visualizing how the engine views indicator occurrences over time: Figure 1. Visualizing event scoring. While an indicator may be a regular occurrence on most endpoints (receiving a zero score), the engine identifies and scores instances that have never been seen on a specific host before.
By identifying and filtering down to just these anomalous examples, the engine can surface leads earlier in the attack chain and reveal special kinds of Automated Leads we refer to as “zero detect” leads. This is malicious activity that hasn't triggered a traditional alert but is clearly suspicious when viewed as a collective cluster of behaviors. Real-World Analysis: The RMM Hunting Ground To see this in action, consider how the engine powering Automated Leads handles RMM tools.
Adversaries love RMM tools because they allow them to “ live off the land ,” essentially blending in with existing approved tools already on the endpoint. But for an analyst, sifting through every RMM execution in a large enterprise is impossible. In a recent internal analysis, the engine monitored thousands of hosts. The vast majority of activity was the organization's standard IT RMM tool — a familiar, low-score constellation of legitimate work.
Figure 2. RMM executions in environment. Each color represents a different RMM tool. The score on the y-axis represents our level of suspicion of the execution. The engine flagged a single execution of MeshAgent , a tool never seen before in that specific environment. While a lone RMM execution is hard to convict, the engine immediately correlated it with other “quiet” behaviors on that same host: a command prompt launch, registry queries, and local network probing.
Figure 3. Indicators of attack (IOAs) triggering on the victim host. IOAs above the line indicate a contribution to the Automated Lead’s confidence. None of these events would have raised an alarm individually. The registry query, for instance, fired hundreds of times a day across the environment. But because it had never occurred on that specific host, the engine’s confidence score spiked. Figure 4. IOA related to registry querying across hosts in this environment.
Each point represents its occurrence on hosts in this environment. New Innovation: Investigating Unusual Processes Building on this logic, we are thrilled to announce a new capability integrated directly into Automated Leads: Investigate Unusual Processes. Figure 5. Example of an Automated Lead Analyzing every process created during a suspicious window is a massive time sink. A typical endpoint creates tens of thousands of processes per day.
A key observation is the vast majority of this process creation activity is from routine, repetitive, and benign activity. This typically holds true even for endpoints that are compromised by adversaries. The malicious processes created are a small fraction intertwined with benign, largely automated creations. In order to rapidly analyze process creations during suspected attacks at scale, we needed a way to filter out this routine activity.
To solve this, we’ve introduced the ProcessAncestryInformation (PAI) event. This feature uses historical observations of an endpoint to flag only the most unusual process creations — typically just 1-3% of all process creations. For example, during a recent attack spanning two hours, we observed approximately 5,000 processes created, of which 75 were flagged as unusual, triggering PAI events. These select processes contained subtle but unusual attacker activity including a legitimate RMM tool, a command prompt, and the ping utility.
Figure 6. ProcessAncestryInformation event triggered for unusual process creations How to Use It This feature is available now for all customers within the Automated Leads dashboard: Locate a Lead : Click on the three-dot menu (⋮) next to the Status of any Automated Lead. Pivot to Advanced Event Search : Select “Investigate unusual processes.” Figure 7. Click “Investigate unusual processes” from within the menu of any Automated Lead in order to see the unusual processes that were created during that lead This will take you to Advanced Event Search (AES) , pre-populated with PAI events joined with ProcessRollup2 data.
This gives you the full picture — including command lines and ancestor processes — without forcing you to sift through thousands of benign events. Always-On Intelligence Investigate Unusual Processes is available across Windows , macOS , and Linux . Best of all, it is always active. While it’s integrated into Automated Leads for ease of use, you can search for the ProcessAncestryInformation event in Advanced Event Search for any endpoint at any time to see what’s truly out of the ordinary in your environment.
By automating the "boring" work of filtering routine noise, we’re empowering teams to quickly focus on the activity that’s unusual in their environment. Related Content Categories CONNECT WITH US FEATURED ARTICLES May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up See CrowdStrike Falcon ® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection.
See Demo Privacy Request Info Contact Us 1.888.512.8906 Accessibility