Investigation

Investigation & Research

IP investigations, payload analysis, campaigns, scanner groups, C2 detection, IOCs, and timelines.

Last updated May 2026

Investigating attacker activity

Research → Investigation opens an IP profile aggregating requests, tags, related lures, and analysis actions. Start from Dashboard Recent Threats or Top IPs—rebuilding from raw logs alone wastes time.

H1VE IP investigation overview with threat metrics and AI assessment
Investigation overview for a malicious IP—threat metrics, H1VE AI classification, and recommended response actions.

Request analysis and payload inspection

Request analysis surfaces headers, methods, paths, and bodies where stored. Payload inspection supports malware-oriented workflows—download artifacts when the lure captured uploads or exploit chains.

H1VE lure log request detail with request body
Captured request with source IP, method, path, user agent, request body, and raw request for triage and payload review.

Campaign grouping, scanners, and C2

Scanner fingerprinting merges repetitive scan tooling into groups (admin-maintained). Campaign grouping ties IPs and lures for export. C2 detection runs JARM, OSINT, and KE-LA Control—tags apply only with positive evidence.

IOC extraction and timeline analysis

Export IOCs (IPs, URLs, hashes) for SIEM ingestion. Timeline analysis orders events across lures for the same actor—critical when attackers pivot from VPN lure to web clone in minutes.

Analyze before block

Run analysis actions on the IP profile before WAF block when you still need follow-up traffic for C2 validation.