How Daylight's Forensic Investigation Reconstructs the Full Story of a Suspicious Endpoint

The Alert

CrowdStrike flagged a suspicious domain connection from an employee endpoint. The alert was medium severity - the kind that, at most organizations, gets a reputation check, scores as low risk, and closes within minutes.

The trouble is that a reputation score only tells you what a domain is known for. It doesn't tell you what process made the connection, what the user was doing before and after, whether anything landed on disk, or what the domain actually served at the time of the visit. Most of that context disappears if nobody goes looking for it - and on a medium-severity alert, nobody usually does.

Daylight did - automatically, the moment the alert fired.

The Investigation

This wasn't a fixed playbook running top to bottom. The investigation is agentic - it reasons through a case the way a good analyst would, pulling a thread, seeing what it reveals, and choosing what to examine next based on what it finds, rather than following a script. That adaptiveness is what sets it apart, and it shows in how the case unfolded.

It started with the machine itself: every recent alert on the same endpoint. A single finding can look benign in isolation; against everything else happening on that device, the picture often changes.

From there, Daylight traced the connection back to its originating process - name, path, parent, and command-line arguments. That mattered, because a browser-initiated lookup tells a very different story than the same domain reached by a script under a scheduled task. This one came from a browser - so the investigation followed it there.

It identified the active browser and profile and pulled the full browsing history from the endpoint: the sequence of URLs immediately before and after the flagged domain, reconstructing what the user was actually doing. In parallel, it collected every file written, modified, or downloaded around the time of the alert, directly from the machine - with metadata, hashes, and each file's relationship to the triggering process.

To understand the domain rather than just score it, Daylight scanned and rendered it live, analyzing what it actually served at the moment of the visit, then enriched it with registration data, ASN, passive DNS history, and related infrastructure - the context that reveals whether a domain is freshly registered or tied to a known campaign. Finally, it reviewed the full connection timeline from the endpoint around the alert window, not just the one flagged domain.

The Determination

By the time a Daylight analyst opened the case, the full picture was already assembled. The connection was browser-initiated, traced to an ordinary user session; the surrounding history showed the user following a link from a legitimate page to a newly registered domain that, when rendered live, served only a benign redirect. No files of concern landed on disk, no persistence was established, and nothing else on the endpoint corroborated a threat. The finding was closed as benign - with the evidence to back it, not a guess against a reputation feed.

The customer received a determination with the full reasoning behind it - ready to act on, or file away.