Huntress appears to combine detections that share a common category, such as the same user, location, or VPN-related activity, into a single incident over time. While this helps reduce alert noise, it can make investigations more challenging. Specifically, when additional detections are correlated into an existing incident, the incident continues to display the original First Seen timestamp rather than providing a separate First Seen value for each newly correlated detection. This can make it difficult to quickly determine when the latest activity occurred, as a recently added detection may appear under an incident whose First Seen date is weeks or months old. It would be helpful if correlated detections displayed their own First Seen timestamps more prominently, or if the incident view made it easier to identify the most recent activity without having to manually review the timeline.