What do threat gen searches produce?

Threat gen searches are specifically designed to identify and extract threat intelligence data directly from various input sources. The primary output of threat generation searches is a set of events that reflect potential threats, which are stored in the threat_activity index. This index serves as a centralized repository of these threat events, enabling security analysts to quickly review and respond to threats identified during these searches.

The nature of events produced in the threat_activity index is crucial, as they are actionable and provide an overview of suspicious activities within the environment. This allows organizations to proactively address security issues and reinforces the importance of monitoring and analyzing threat intelligence in real-time.

In contrast, while threat intel in KV Store collections is related to managing threat intelligence data, it is not the primary output of threat gen searches. Similarly, threat correlation searches are used to analyze relationships between different events and may leverage the data within the threat_activity index, but they are not the direct product of threat gen searches. Lastly, while notables in the notable index result from high-priority alerts, they are not specifically produced by threat gen searches, which focus more on real-time threat event generation.