A system and method for generating policies for investigating cyber-security attacks are provided. The method includes selecting at least one entity of interest (EoI); determining at least one detection event associated with the at least one EoI; processing the at least one detection event to create a plurality of investigation rules, wherein each of the plurality of investigation rules includes a set of filters utilized to identify malicious activity related the at least one EoI; and defining an investigation policy for the EoI, wherein the defined investigation policy includes the plurality of investigation rules.