Systems and user interfaces for dynamic and interactive investigation based on automatic clustering of related data in various data structures

What is claimed is: 1. A computer-implemented method comprising: generating, based on a plurality of captured communications, a filtered collection of captured communications by selecting captured communications that include a user-agent string and removing captured communications with destinations on an approved list of destinations, wherein the approved list of destinations indicate destinations that are unlikely to be related to malware activity; determining, based on the filtered collection of captured communications, a first set of captured communications associated with a test time period and a second set of captured communications associated with a reference time period; identifying a first captured communication in the first set that is not included among the second set of captured communications, wherein the first captured communication indicates a new user-agent string not previously associated with the reference time period; and designating the new user-agent string as a seed; and generating a data item cluster based on the seed, wherein generating the data item cluster comprises: adding the seed to the data item cluster; and adding to the data item cluster one or more user-agent-related data items determined to be associated with the seed, wherein the one or more user-agent-related data items comprises information associated with a computing device. 2. The computer-implemented method of claim 1 , wherein the one or more user-agent-related data items further include at least one of: a user of a particular computing device, an internal Internet Protocol address, an external Internet Protocol address, an external domain, an internal computing device, an external computing device, or a host-based event. 3. The computer-implemented method of claim 2 , further comprising: identifying the one or more user-agent-related data items based at least on a clustering strategy, wherein the clustering strategy queries one or more cluster data sources to determine at least one of: originating host or destination computing devices associated with the seed, users of originating host computing devices, intrusion prevention system alerts associated with originating host computing devices, internal Internet Protocol addresses associated with originating host computing devices, external Internet Protocol addresses associated with destination computing devices, or external domains associated with the first captured communication. 4. The computer-implemented method of claim 1 , further comprising: determining a score for the data item cluster; and causing presentation of the data item cluster and the score in a user interface of a client computing device. 5. The computer-implemented method of claim 1 , wherein generating, based on the plurality of captured communications, the filtered collection of captured communications further includes removing captured communications with respective user-agent strings on an approved list of user-agent strings, wherein the approved list of user-agent strings indicate communications that are unlikely to be related to malware activity. 6. The computer-implemented method of claim 1 , wherein generating, based on the plurality of captured communications, the filtered collection of captured communications further includes removing captured communications associated with a particular external computer system, wherein the particular external computer system is unlikely to be related to malware activity. 7. The computer-implemented method of claim 1 , further comprising: identifying a quantity of appearances of the new user-agent string in corresponding captured communications among the first set of captured communications; and determining the quantity is below a predetermined threshold. 8. A non-transitory computer-readable storage medium storing computer-executable instructions that, when executed by a computer system, configure the computer system to perform operations comprising: generating, based on a plurality of captured communications, a filtered collection of captured communications by selecting captured communications that include a user-agent string and removing captured communications with respective user-agent strings on an approved list of user-agent strings, wherein the approved list of destinations indicate destinations that are unlikely to be related to malware activity; determining, based on the filtered collection of captured communications, a first set of captured communications associated with a test time period and a second set of captured communications associated with a reference time period; identifying a first captured communication in the first set that is not included among the second set of captured communications, wherein the first captured communication indicates a new user-agent string not previously associated with the reference time period; and designating the new user-agent string as a seed; and generating a data item cluster based on the seed, wherein generating the data item cluster comprises: adding the seed to the data item cluster; and adding to the data item cluster one or more user-agent-related data items determined to be associated with the seed, wherein the one or more user-agent-related data items comprises information associated with a computing device. 9. The non-transitory computer-readable storage medium of claim 8 , wherein the one or more user-agent-related data items further include at least one of: a user of a particular computing device, an internal Internet Protocol address, an external Internet Protocol address, an external domain, an internal computing device, an external computing device, or a host-based event. 10. The non-transitory computer-readable storage medium of claim 8 , wherein the computer-executable instructions further configure the computer system to perform operations comprising: determining a score for the data item cluster; and causing presentation of the data item cluster and the score in a user interface of a client computing device. 11. The non-transitory computer-readable storage medium of claim 8 , wherein generating, based on the plurality of captured communications, the filtered collection of captured communications further includes removing captured communications with destinations on an approved list of destinations, wherein the approved list of destinations indicate destinations that are unlikely to be related to malware activity. 12. The non-transitory computer-readable storage medium of claim 8 , wherein the computer-executable instructions further configure the computer system to perform operations comprising: identifying a quantity of appearances of the new user-agent string in corresponding captured communications among the first set of captured communications; and determining the quantity is below a predetermined threshold. 13. A computer system comprising: one or more computer readable storage devices configured to store: a plurality of captured communications between an internal network and an external network; and a plurality of user-agent-related data items, wherein a data item of the plurality of user-agent-related data items comprises information associated with a computing device; one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute computer executable instructions in order to cause the one or more hardware computer processors to: generate, based on the plurality of captured communications, a filtered collection of captured communications by selecting captured communications that include a user-agent string; determine, based on the fi