Skip to main content

Detection User Documentation

PurposeFor a comprehensive understanding of Detections and their potential benefits, please refer to the following documentation. It provides detailed insights into what Detections are and how they can be instrumental in your team.
CreatedOctober 16, 2023

What are Detections?

In the Raven Portal, Detections are like specialized detectors designed to spot specific anomalies in data from various sources, such as AWS CloudTrail or Windows event logs.

They are inspired by the MITRE ATT&CK framework, a recognized guide to how cyber adversaries operate.

Detections in Raven play a crucial role in enhancing security and efficiency.

Detections are crucial for uncovering unusual behaviors that might signal security issues. They check data from platforms like AWS CloudTrail and Windows event logs. These scripts are fine-tuned using the MITRE ATT&CK framework, a comprehensive reference for understanding how cyber threats work.

For more information on the MITRE ATT&CK framework follow link below:

Learn more about the MITRE ATT&CK framework

They act like digital security guards, watching for things like too many failed login attempts or suspicious data movements. When they find something unusual, they trigger an alert which helps the team react.

Detections can work on specific platforms or across multiple platforms. They're always growing, so you get new ones for services like Office365, Azure, Windows Defender, AWS, and more.

Interacting with Detections

You can access the full catalog of Detections by navigating to the "Detection" app in the Portal. This area provides an overview of all the Detections tailored for your team's needs.

For each Detection, you'll find essential details such as its Name, Description, and the last time it was executed. On the right-hand side, there's information on the interval of its last run, and a three-dotted button that provides options to execute or deactivate the Use Case.

When you click on a specific Detection, you gain access to in-depth information, including the Detection Id, Title, Description, Sensitivity, the next scheduled run, interval, Status, and its category.

Towards the bottom of the tab, you'll find three sections:

  1. Alerts: This area displays all the Alerts generated by the Detection, giving you an insight into any potential issues detected.

  2. Configuration: It showcases the Detection's Name and Description, helping you understand the purpose of this specific script.

  3. Help: This section serves as a helpful resource, providing guidance and documentation to assist you in understanding and managing the Detection effectively.

Lastly on at the top right corner there is a "Configure" button which will let you edit the Detection Name and Description.