Building a Scenario-Based Detection

Problem: Detection engineering today mostly relies on simple patterns or string-based detection logic. These types of detections usually result in a lot of downstream noise in the form of false positive alerts delivered to the SOC triage team. This creates alert fatigue and added expense, which ultimately results in a weakened security posture.

Anvilogic Solution: Anvilogic’s approach to alerting involves a 2-tiered method of first collecting warning signals (like traditional pattern based detections looking for suspicious activity), and then correlating those warning signals into risk-based or scenario-based detections. This allows for a much higher fidelity of actionable alert to be delivered to the SOC triage and IR teams without all the noisy false positives. We provide out-of-the-box threat scenarios in our Armory, as well as give customers the ability to create their own scenarios without having to write a single line of detection code.

In a previous section we deployed a threat identifier. In most cases you would configure that threat identifier to collect warning signals as “events of interest” in an Anvilogic data store, but not necessarily generate an actionable alert. In order to ensure that the SOC triage team receives high quality alerts without a lot of noise, Anvilogic customers take advantage of our threat scenario detections. These can be used for risk-based alerting as well as more sophisticated and extremely flexible scenario-based detections, modeled on real-world behavioral attack patterns seen in the wild, or even based on custom patterns you can create in Anvilogic without writing a single line of code.

Let’s start by looking at an out-of-the-box threat scenario provided by Anvilogic. From the main navigation on the left hover and then click on “Armory,” taking you back to the main armory menu. On the top, click on the number below the “Threat Scenarios” label to see a filterable list of provided threat scenarios in the armory. Feel free to create a filter, drill into any of these, and explore the content.

Now click into the search box at the top of the screen, type “malicious file delivering malware,” and click the matching threat scenario at the top of the results. It will take you to the detailed view of the threat scenario.

You can explore the details of this threat scenario. You can see metadata about the kill chain phases and threat groups that use this scenario at the top, along with an expandable description. If you scroll down you will see a graphical representation of the logic and other metadata fields used for enrichment.

This particular scenario consists of 3 stages, 2 of which have multiple groups of events that could trigger it. The entire scenario is correlated based on a common host. It will fire when threat identifier rules matching group 1 criteria are followed by group 2 and group 3 identifiers for a common host within the described time frames. You can click on any group to see details about the threat identifiers.

You can also click the bracket icon (< >) on the upper right of the scenario logic definition section to see the underlying logic as code.

At this point, you could potentially deploy this scenario as long as you have a minimum set of underlying threat identifiers deployed (we make it easy to check this and get them deployed if you need to do so). Instead, let’s explore how easy it is to actually create one of these threat scenarios from scratch without writing any of that underlying code.

From the main navigation menu on the left, click the + icon for New Content near the top.

Select “Threat Scenario” then hit “Proceed.” This will open the new threat scenario no-code builder with a blank threat scenario.

Give your use case a title in the box near the top. Now let's create a scenario. You can follow my example or choose different criteria, but it is best to select conditions from the dropdown lists that have a non-zero number on the left in parenthesis, indicating that you have at least 1 detection deployed that matches that condition.

Click into stage 1 and rename it to “initial access.” Click inside of Group 1 to pull up the definition dialog.

For the first condition, leave “filter by” set to MITRE ATT&CK and hit the drop down for “choose conditions.” From there, select “Initial Access.” You should see at least 1 threat identifier that meets this criteria. Click “add more conditions,” leave the “and” operator, and this time change the “filter by” to “use case categories” and “choose conditions” to “Hacking/Unauthorized Access.” Click the “add” button to save it.

Now look above stage 1 and click into the “entities of interest” box. Leave “correlated host” checked, and check the box for “correlated IP” also.

Now let’s add another stage. Click “Add Stage” then click the diamond with the time in between the stages. You can change it, e.g. to 60 minutes between the first 2 stages correlated across a common host or IP, then hit “update.”

Now change the name of stage 2 to “Execution,” click inside its group 1 box, and set the condition to MITRE ATT&CK execution phase. You should see at least 1 threat identifier selected. Hit “add” to save this stage.

Repeat the process one more time by adding another stage, renaming and drilling into group 1, filtering by MITRE ATT&CK privilege escalation and Data Domain endpoint, clicking “add” to save it.

Your final threat scenario should look something like this.

Click on the bracket icon (< >) on the right side of the scenario definition to see the underlying code that the scenario builder created for you.

At this point, you can hit Save in the upper right corner. From the main navigation menu on the left, click the “Scenarios” icon. This takes you to a list of scenarios in your workspace. Reverse sort on the Last Modified column on the right and you should see the threat scenario you just created at the top.