Skip to main content
Hiro ingests security detections from your connected sources, enriches them with AI-generated analysis, and helps you investigate and respond to threats efficiently.

Detection Sources

Hiro can ingest detections from:
SourceDetection Types
CrowdStrikeEndpoint threats, malware, suspicious behavior
AWS GuardDutyCloud infrastructure threats
OktaAuthentication anomalies, policy violations
Custom WebhooksAny detection system with webhook support

How Detections Work

When a detection is received:
  1. Ingestion — Detection is received via webhook or API poll
  2. Enrichment — Hiro queries related systems for context
  3. AI Summary — A concise, actionable summary is generated
  4. MITRE Mapping — Detection is mapped to ATT&CK techniques
  5. Deduplication — Related alerts are correlated
  6. Notification — You’re alerted based on severity

Viewing Detections

Navigate to Detections in the left sidebar to see your detection queue.

Detection List

Detections are displayed with:
  • Severity — Critical, High, Medium, Low
  • Title — Brief description of the threat
  • Source — Where the detection originated
  • Time — When the detection occurred
  • Status — New, Investigating, Resolved

Filtering and Sorting

Filter detections by:
  • Severity level
  • Source system
  • Time range
  • Status
  • MITRE technique

Detection Details

Click any detection to see full details:

AI Summary

Hiro generates a concise summary explaining:
  • What happened
  • Why it matters
  • Recommended next steps
SUMMARY: Credential Access Attempt Detected

A user's AWS access key was used to attempt AssumeRole calls
to 15 different roles across 3 AWS accounts over a 5-minute period.
This pattern is consistent with credential theft and privilege
escalation attempts.

The access key belongs to john@company.com and was last rotated
90 days ago. The API calls originated from IP 185.220.101.1,
which is not associated with known company infrastructure.

RECOMMENDED: Deactivate the access key immediately and investigate
the user's Okta session for signs of compromise.

MITRE ATT&CK Mapping

Detections are mapped to relevant MITRE ATT&CK techniques:
TechniqueNameDescription
T1078Valid AccountsUse of valid credentials
T1098Account ManipulationAttempt to modify privileges
T1538Cloud Service DashboardCloud console access

Raw Detection Data

The original detection payload is preserved and accessible for detailed analysis.

Investigating Detections

From any detection, you can:

Start Chat Investigation

Click Investigate in Chat to open a conversation pre-loaded with detection context: 
Hiro: I've loaded the context from this detection. The CrowdStrike
alert shows ransomware indicators on endpoint LAPTOP-A1B2C3.
What would you like to investigate first?

You: What user was logged into this endpoint at the time?

Start Fight Mode

For active threats, click Investigate in Fight Mode to begin continuous hunting with the detection’s indicators already loaded. Hiro correlates related detections automatically: 
RELATED DETECTIONS (3)
─────────────────────
• [High] AWS GuardDuty: Unusual API calls from same access key (2 hours ago)
• [Medium] Okta: Login from new device for same user (3 hours ago)
• [Low] CrowdStrike: New process on same endpoint (4 hours ago)

Detection Status Workflow

Manage detection status as you work:
StatusDescription
NewDetection received, not yet reviewed
InvestigatingActive investigation in progress
Pending ActionAwaiting remediation approval
ResolvedInvestigation complete, threat mitigated
False PositiveConfirmed not a threat

Configuring Detection Sources

CrowdStrike

CrowdStrike detections are automatically ingested when you connect the integration. Configure which detection types to receive in Settings > Integrations > CrowdStrike.

AWS GuardDuty

GuardDuty findings are pulled when you connect your AWS account. All finding types are ingested by default.

Notification Settings

Configure how you’re notified about new detections:
ChannelConfiguration
In-AppAlways enabled for all severities
EmailConfigurable by severity threshold
SlackSend to channel with @mention for critical
Configure notifications in Settings > Notifications.

Best Practices

Triage by Severity

Focus on Critical and High severity detections first. Use filtering to manage your queue effectively.

Correlate Before Acting

Check related detections before taking action—what looks like multiple incidents may be a single attack.

Use AI Summaries

Hiro’s AI summaries provide quick context without reading raw logs. Trust but verify for critical decisions.

Mark False Positives

Marking false positives helps improve detection quality over time and keeps your queue clean.

Next Steps

Chat Interface

Investigate detections conversationally.

Fight Mode

Hunt threats continuously.

Remediation

Take action on detected threats.

Integrations

Connect more detection sources.