Using Stealthwatch and the Management Console what I'd suggest you do is look at the 'Top Alarming Hosts' and "Cognitive Threat Analytics' widgets.
Top Alarming hosts offers a list of the top alarming hosts based on all alerts and how Stealthwatch alerting has been tuned. Alerts contribute to a numeric score and the hosts with the highest score are ranked in that widget. It's updated every couple of minutes. Hosts listed are often 'inside' and as such most of the detections there are 'lateral' or 'east - west' (about activity between hosts inside your protected network).
The Cogntive widget provides risk scores based on analysis of data that your Flow Collector sent to the Cisco Cloud. This extends the analysis to include external hosts (or north south connectivity).
Through a service that uses the Stealthwatch APIs you can export data about either Top Alarming Hosts or Cognitive Threat Analytics to your own external programs or databases.
Using the Stealthwatch 'Response Management' capability an admin can define specific alerts that will produce additional responses (send a Syslog, send an email, etc,...). Those alert on specific conditions and the suggestion is that those be used when looking for (or 'hunting') specific evidence of some investigation.
I hope this helps. We're always looking to improve those videos (if it came from the Cisco Stealthwatch team).
Brian
Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.