Detection Engineering Workflow
Last updated
Last updated
Problem: Detection engineering using current processes and tools is often slow, manual, and requires multiple people and systems to accomplish and track. Prior to Anvilogic, our customers said a single detection could take weeks to operationalize. This results in a time lag between threats in the wild and your ability to detect these threats and deliver high-quality, correlated alerts to the SOC, without generating noisy false positives.
Anvilogic Solution: We provide customers with both high-quality, correlated detection content and an integrated, automated platform to research, test, deploy, and maintain all of your detection content regardless of the data platforms and security tools in the environment.
The heart of the Anvilogic platform is to enable detection engineers to go from threats to detections in minutes, instead of days or weeks. In this section we will deploy a recommended detection in just a few clicks. In a full pilot, this would actually create a scheduled detection search against your data to look for suspicious activity. Let’s start in the main armory view (which will be covered more in depth in the next section).
From the main navigation on the left, hover over and click on “Armory”
Scroll down if necessary to see the “recommended detections” list. Click "See all" on the right, then click the Threat Identifiers button on the top. Choose any one of the recommended detections and click on its name. This will take you into a detailed view of the threat identifier use case.
Within this view you will see general information about the detection near the top including the name, data domain, MITRE ATT&CK techniques, killchain mappings, and a description of the detection. You will also see a list of the individual detection rules within the threat identifier use case. Every threat identifier will have 1 or more rules, where each rule is mapped to a particular combination of data repository and data category. There are expand/collapse arrows on the left side of each rule, which you can press to hide or show the details of the rule.
Notice that at least one of these rules will have a star icon near on the left side near the rule number. This indicates that this particular rule is recommended for your environment based on the good quality data in your data stores. If it isn’t already expanded, expand this rule by clicking on the expansion arrow on the left.
This expanded view of the rule contains summary data, the rule logic (including multiple versions of it if there is more than one), and tabs to see things such as threat examples, data source validator searches, risk scores, performance analytics, custom and standard tags, and default triage steps. Much of this metadata is used to enrich the alerts and warning signals that fire from this detection. You can also take a look at the rule logic, which contains the detection patterns, data manipulations, as well many macros used to retrieve data, normalize it, and enrich it. At the end of the logic, a description of the event is written and all the important fields are written to the events of interest index for further correlation.
Since we found this detection in the armory, in order to fully deploy it we will complete 2 basic steps: add it to our workspace as a local copy, then deploy it to our detection platform.
First, we need to make a local copy of it from the global copy in the Anvilogic armory, which we do by adding it to our workspace. Click on the blue “+ Workspace” button in the upper right corner. This will bring up the add to workspace dialog.
From here, you can check or uncheck additional boxes for different rules (recommended ones will be checked). You can and should also create an associated task in the lower part of the dialog (the default). You can change the status and priority or add a comment if you like, but leave the assignee set to your user name. Click the Add button to continue. You will then be taken to the local copy of the threat identifier in your workspace based on the armory copy.
You can click on the Edit button in the upper right corner if you want to make any changes to the rule at this point. In a full Anvilogic pilot you would be able to click a “Test” button here as well to work with and test the detection logic in your production environment before deploying the rule, though this feature is not available in our test drive environment.
Before deploying the rule, however, let’s take a look at the task you created in the previous step. From the main navigation on the left hover and then click on “Tasks.” This brings up the task view.
From here you should see the task to deploy the threat identifier detection you just created when you added it to your workspace. If you click on the Task ID you will see the details and history of the task itself.
To deploy the detection and get back to where we were previously, in the column entitled “Related Content ID #s” click on the rule ID (AVL_RXXXXX) on the right side of that column. You will then see the rule again with the Deploy button ready to go.
Click on the deploy button. This will bring up the rule deployment dialog. You will see that it offers some information as well as dependency checks (which you can ignore in this test drive).
You will notice that Anvilogic automatically recommends a cron expression that optimizes the best time to run this detection logic based on the current workload on the detection engine. You can drill into this further if you like by clicking on the “Suggest Optimal Schedules” link, but note that you will need to be in a pilot environment to see any meaningful data here. Now click the “Deploy” button and you will briefly see a message that the rule has been queued for deployment. In a full pilot environment, this could actually fully deploy the detection rule, or you can add another layer of testing and approval within the universal search engine platform for additional separation of duties.
You have now gone from threat to detect in minutes, without having to write a single line of code and all from a single, integrated platform that supports full auditing and separation of duties. Feel free to repeat this process for other detections that interest you, or even for trending topics and scenario based detections.
