CrowdStrike Details AI-Driven 'Automated Leads' for Detecting Stealthy Adversary Activity
CrowdStrike has unveiled the technical framework behind its "Automated Leads" AI, which identifies subtle, low-fidelity indicators of compromise by aggregating entity-based scores to detect malicious activity that traditional alerts miss.

CrowdStrike has detailed the mechanics of its "Automated Leads" functionality, a feature integrated into the Falcon platform designed to identify malicious activity that falls below the threshold of traditional security alerts. By shifting away from binary "good or bad" alerting, the system aims to reduce the triage burden on security analysts by surfacing subtle indicators of compromise earlier in the attack lifecycle CrowdStrike.
The technical mechanism relies on a family of self-learning AI models that utilize entity-based scoring. Instead of triggering an alert for every individual event, the engine assigns a score to every indicator and detection event. These scores are then aggregated by entity, such as a specific endpoint. When multiple positively scored events occur on the same host, the engine sums these scores to identify clusters of suspicious behavior that might otherwise be dismissed as noise CrowdStrike.
A primary goal of this approach is to detect "zero detect" leads—malicious activity that does not trigger a traditional alert but appears anomalous when viewed as a collective set of behaviors. The system is specifically tuned to identify unusual processes and the anomalous use of Remote Monitoring and Management (RMM) tools. Because adversaries frequently "live off the land" by using legitimate RMM software to maintain persistence, distinguishing between authorized IT administrative tasks and malicious activity is a significant challenge for security teams CrowdStrike.
In internal testing, the engine demonstrated its ability to monitor thousands of hosts simultaneously. While standard IT RMM usage typically generates a "low-score constellation" of expected activity, the AI models can isolate instances of RMM execution that deviate from established baselines. By filtering out the noise of legitimate administrative work, the platform allows analysts to focus on high-priority leads that indicate potential adversary presence CrowdStrike.
This development reflects a broader industry shift toward behavioral analysis and automated triage to combat "alert fatigue." As security teams struggle to manage millions of events per hour, traditional rule-based detection systems often result in suppressed alerts to manage volume, inadvertently creating gaps that attackers can exploit. By leveraging AI to correlate low-fidelity signals, platforms like Falcon aim to provide earlier visibility into sophisticated threats before they escalate into full-scale breaches CrowdStrike.