Detections

Purpose	The Detections App enables users to monitor integrated data sources for specific events or conditions, generating alerts to ensure timely responses to security issues and operational anomalies.

Last Updated	March 26, 2025

---

What are Detections?

Detections in Raven are customizable, rule-based, or machine learning scripts designed to monitor your organization’s integrated data sources for specific events or conditions. These scripts run on a predetermined schedule, scanning tables for new events that match defined criteria. When such conditions are met, detections generate alerts, enabling timely responses to potential security issues or operational anomalies.

Unlike generic monitoring tools, Raven Detections operate within the context of your team’s data, ensuring precise alignment with your organization’s unique security policies and operational requirements. They can be tailored to monitor platforms such as AWS CloudTrail, Office365, Azure, Windows Defender, and more. This adaptability ensures that detections provide actionable insights while reducing noise.

Key Features

Customizable Rules

• Define specific conditions for monitoring based on your organization’s needs.
• Incorporate techniques inspired by the MITRE ATT&CK framework while maintaining flexibility to create rules outside of this framework.

Platform-Agnostic Monitoring

• Detections can function on specific platforms or across multiple platforms simultaneously.
• Supported platforms include AWS, Office365, Azure, Windows Defender, and more.

Tailored for Your Organization

• DTACT’s data engineers enrich detections to align with your unique requirements.
• Rules and configurations can be customized to address specific threats or operational challenges.

Alert Generation

• Automatically trigger alerts when detections identify unusual activity, such as failed login attempts or suspicious data movements.
• Alerts are linked to the Alerts App for further investigation.

How to Use Detections

Accessing the Detections App

• Navigate to the Detections App within the Insights module.
• The app provides an overview of all created detections, including detailed information about each detection.

Creating a Detection

1. Click the “+ Detection” button in the top-right corner of the Detections App.
2. Select a Detection Brick from the list of available Bricks.
3. Configure parameters such as name, description, and schedule (if applicable).
4. Save your detection to activate it.

Managing Detections

Overview of Detection Details

Each detection is displayed with key information:

• Name: The unique identifier for the detection.
• Description: A summary of what the detection monitors.
• Sensitivity: The strictness level assigned to the detection.
• Schedule: Indicates when the detection is set to run next.
• Next Run/Last Run: Displays the next scheduled execution and the most recent run time.
• Error Badge: Highlights any errors in the detection (hover for details).

Actions Available

From the main interface, users can:

• Enable or disable detections.
• Edit names and descriptions by clicking directly on them.
• View error details by hovering over error badges.
• Manually run detections using the play button.
• Enable training mode to test detections without triggering alerts.
• Configure detection parameters via the cog icon.
• Delete detections using the trash icon.

Viewing Detection Details

Clicking on a detection provides access to in-depth information:

1. Run Details:

   • Latest Status: Displays any errors encountered during execution.
   • Last Run/Next Run: Shows when the detection last ran and when it is scheduled to run next.
   • Schedule: Specifies how frequently the detection runs.

2. Configuration:

   • View and edit parameters such as schedule, string inputs, secret credentials, numeric values, or multi-string lists.

3. Alerts:

   • Displays all alerts triggered by this detection.
   • Clicking on an alert redirects you to the Alerts App for further analysis.