img generated using openai’s dall-e-3 model
If you find yourself developing custom detections to fill detection gaps in your environment, you may ask yourself: what does a good alert look like?
As a detection engineer, you must think about your customer: the SOC. Your efforts need to balance two things:
- Detecting threats
- The effort required to respond
The challenge is that these objectives tend to have an inverse relationship. A detection engineer can write detections all day long to detect every possible indication of malicious activity. The result, however, will be an unrealistic volume of events requiring more effort than available capacity.
On the flip side, not sufficiently detecting your attack surface will increase the risk of false negatives and successful breaches.
So, how do you balance this?
- Develop high fidelity detections that effectively separate benign activity from malicious activity.
This is easier said than done, but this is the core responsibility of a detection engineer. Failure to do this will crush SOC capacity, desensitize analysts, and lead to alert fatigue. How to do this will have to be a subject for another blog . [UPDATE: this one sorta covers it]
2. Provide as many investigative answers in the alert details as possible.
This may be limited to the available logging, but enrichment should be conducted to add context from other log sources or reputational databases. Manual pivots should be minimal.
For today, let’s focus on #2.
What details should we include in the alert?
Strive to include as many of the following details as possible and present them to the analyst in a digestible way.
Detection Context
What is the intent of the detection and why is it important?
Description
- Describe the intent of the detection
- Related MITRE Technique(s)
Origin
- Related Threat Intel Reports
- Related Red Team operations
- Related incidents
Performance
Has this been effective in the past?
- Tested/Validated against true positive activity or attack simulation
Update history
Has the detection undergone periodic modifications to maintain efficacy?
- History of filters/tuning according to observed benign activity
Alert Context
What are the details of the event(s) which occurred that may indicate malicious activity?
This varies dramatically according to the detection and the logging available. In general:
- All fields available in the log(s) the detection logic is evaluating should be included unless they do not provide any useful context.
- Fields available that answer who, what, where, when, how.
- All fields should be normalized according to a consistent data model
Enrichments
What do we know about the involved assets/users/destinations?
- Recent related alerts
- Details about the impacted User (from a source like a CMDB)
- Details about the impacted Asset (from a source like a CMDB)
- Reputation of public IPs
- Reputation of domains/urls
- Reputation of file hashes
- Prevalence of the alert
- Prevalence of evidence for that alert
Response Context
What are the expected actions an analyst should take to triage?
- Runbook/Playbook/SOP
- Additional Investigative Queries
- Examples of True Positives
- Examples of False Positives
- Remediation Actions
If these details can’t be included in the original alert when it first surfaces, they should be added as quickly as possible with automation. If there are technical limitations preventing this, the resources and any corresponding queries to retrieve this information manually should be provided within the response context.
A good rule of thumb is if certain data is required to determine if the activity is malicious or benign, that data must be provided or easily obtainable by the analyst.
Analysts are most effective when they can read a story. Be the author that writes it for them.
Related Resources
https://medium.com/@vitbukac/practical-splunk-detection-rules-how-to-part-1-crawl-a24bc39a4b9d
Introducing the Funnel of Fidelity
https://x.com/jhencinski/status/1456974938712121347
Detection Engineering Fundamentals: What makes a good alert? was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
Article Link: Detection Engineering Fundamentals: What makes a good alert? | by br4dy5 | Detect FYI