Raven Detections
| Purpose | For a comprehensive understanding of Detections and their potential benefits, please refer to the following documentation. It provides detailed insights into what Detections are and how they can be instrumental in your team. |
|---|
| Last Updated | November 8, 2024 |
|---|
What are Detections
Detections are customizable, rule-based scripts designed to monitor data sources, such as AWS CloudTrail or Windows event logs, for specific events or conditions. These scripts run on a predetermined schedule, scanning tables for new events that match defined criteria. When these conditions are met, detections generate alerts, enabling timely responses to potential security issues or operational anomalies.
Detections can incorporate techniques and tactics inspired by the MITRE ATT&CK framework, a widely used resource that outlines adversary behaviors. However, detections are not strictly based on this framework; they are customizable and adaptable, allowing analysts to define rules and conditions tailored to specific security policies or potential threats.
For more information on the MITRE ATT&CK framework follow link below:
They act like digital security guards, watching for things like too many failed login attempts or suspicious data movements. When they find something unusual, they trigger an alert which helps the team react.
Detections are designed to function on specific platforms or across multiple platforms. They are enriched by DTACT's team of data engineers and customized to align with the unique requirements of each organization. This tailored approach ensures precise and effective detections for services such as Office365, Azure, Windows Defender, AWS, and others.
Selecting an Existing Detection from the Library
To add a new detection in the Raven Portal, click the + Detection button located at the top-right corner of the main interface. This opens a popup where you can select the Detection Brick from a list of previously created Bricks, allowing you to choose the specific Detection that best suits your needs.
Detection Version Information
- Version: This is the latest version of the detection brick.
- Active Version: This could be an older version, but it's the version currently set for the detection brick.
- Latest Version Updated: This refers to the most recent update of the detection brick.
- Updated: This shows when the latest or current version of the brick was last updated.
For a step-by-step example of setting up a detection within the Brick Manager, refer to this guide:
Interacting with Detections
Detections App Overview
The Detections app can be found in the Insight Module.
This page provides users with an overview of all created detections. Each detection is presented with detailed information, offering valuable insights to help users monitor and manage them efficiently. The displayed details for each detection include:
- Sensitivity: The level of sensitivity assigned to the detection.
- Name: The unique identifier for the detection.
- Error badge: Only shows if there is an error in the detection.
- Description: A summary of what the detection monitors.
- Schedule: The date and time when the detection is set to run next.
- Next Run:Indicates the time for the detection's next execution and highlights any factors that might prevent it from running.
- Last Run: The most recent run time of the detection.
Finally, by hovering over the alert and configuration icons at the bottom center of each detection, users can view the number of alerts and configurations associated with each detection.
From the main interface, users can take action on individual detections by clicking on specific fields:
- Enabling or Disabling: Allows users to activate or deactivate a detection.
- Edit Name and Description: Click the current name or description of the detection to edit it. These are 2 separate actions.
- Error Badge: Hover over the badge to view more details about the error, and click it to copy the error to your clipboard. Note that the badge will only appear if an error is present.
- Play Button: Allows the user to manually run the detection.
- Training Mode: When enabled, this mode prevents alerts from being triggered, making it ideal for testing purposes.
- Cog Icon: Displays options to edit the detection's configurations, allowing the user to make adjustments as needed.
- Trash Icon: Enables the user to delete the detection when it is no longer required.
Detection View
Clicking on a detection provides access to detailed information:
More details
- Detection ID: Unique identifier for tracking and managing detections.
- Sensitivity: Defines the detection's strictness, adjusting its response to events.
- Detection Mode: Indicates if the detection is actively monitoring the system.
- Training Mode: Prevents the detection from running to allow for testing and refinement.
Run Details
- Lastest Status: Shows if there are any errors with the detection.
- Last Run: Displays the date and time of the most recent execution.
- Next Run: Shows when the detection is scheduled to run next.
- Schedule: Specifies the detection's run frequency.
Other
- Category: Classifies the detection, helping with organization
- Additional Help: Provides further assistance for managing detections.
Within this detailed view, two key sections offer further insights:
- Alerts: Shows all alerts triggered by this detection, providing insights into potential security or operational issues. Clicking on an alert will direct you to the alerts app for more detailed information.
- Configuration: Displays the detection's parameters, including default values from the brick and any current values reflecting configuration changes for each parameter.
Configuring a Detection
Configuring a detection involves setting parameters that define how the detection runs and what data it uses. Key configuration options are:
- Schedule: The frequency of detection runs is optional and is determined by the brick created in the BM (Brick Manager). The schedule displayed here is inherited from the settings configured in the BM.
- String Parameter: Text-based inputs.
- Secret Parameter: Credentials or sensitive data stored securely.
- Number Parameter: Numeric values used within detection logic.
- Multi-String Parameter: Lists or multiple text values for complex conditions.