About Usecases

In Raven, usecases are pre-defined scripts that are designed to look for specific anomalies in datasets coming from various sources such as AWS CloudTrail or Windows event log data. These usecases are based on the MITRE ATT&CK framework, which is a globally recognized knowledge base of adversary tactics and techniques.

Usecases are also used for monitoring cloud cost. These cloud-cost-usecases are unique to the CloudCostManagement app in Raven. The CloudCostManagement app gives insight into your cloud cost, and provides advice on how to lower the cloud cost.

Each usecase is designed to detect specific adversary tactics and techniques and can be used to identify suspicious behaviour in your system or network logs. For example, there are usecases that can detect brute-force attacks, lateral movement, and data exfiltration attempts.

Having a lot of failed login attempts in a short time from a specific computer is indicative of brute force attempts to crack the password or requesting information stored in browsers such as cookies and passwords or accessing the active directory are indicative of credential access. This pattern we can detect.

Usecases are based on event id or certain patterns of behaviour. When a usecase finds a match in the dataset, it will trigger an alert, notifying you of the potentially suspicious behaviour. The alerts can be sent to various notification channels such as email, Slack, or other messaging platforms, depending on your configuration.

Generating alerts from usecases#

Every alert is generated containing a detection_id that refers to the specific usecase that triggered the alert; an alert_id unique to the alert; a title and a description about the found anomaly and a severity level; with which an appropriate response can be made once the alert is received.

An alert also contains the data by which the alert was triggered under events, the time at which it occurred under occurrences and date, optional references for more information about the anomaly, observables to be able to relate one alert to others and a tactic and technique based on the MITRE ATT&CK framework.

Platform specific usecases#

Usecases can be both platform-specific and cross-platform. By combining data from various platforms we can look for more specific patterns.

The usecases available is growing every day. We offer usecases for:

  • Office365
  • Azure
  • Windows Defender
  • Various AWS services
  • And many more...