Detection Use Cases
While many security products have built in detection use cases, there will always be situations where a custom detection use case will need to be developed. In order to create a successful use cases, we need to have a few key elements.
Theory
The first step in building a use case is the theory behind it. While the protocol, device, and situation may vary, there are a handful of detection theories that we can apply to most detection situations.
Alert on match - Matches any specific string or data field entry
Alert on match with exclusion - Same as above excluding anything documented as acceptable
Repetitive matches - When occurrences of a set of events goes past acceptable volumes
High Fluctuation - When there is a significant change in volume of a specific data field
Low Fluctuation - When the volume of occurrences drops to abnormal levels or stops entirely.
New or Changed Fields - When a data field has a new, previously unseen entry.
Aggregation Thresholds - Changes in Min/Max/Average of a data field statistic.
Alert Tuning
The most effective security monitoring programs, undergo a constant state of tuning and refinement. This allows the highest degree of detection while not overwhelming your analysts with alerts to investigate. High volumes of false positives are typically either a poorly written rule, or noise in your environment that needs to be tuned out. All alerts should have a set of exclusions that should be placed within the use case logic to accommodate any known issues, and therefore not create an alert on those circumstances.
Sometimes you will have to perform a cost benefit analysis on each use case. Is there value in spending gobs of time on every port scan alert you receive? That is up to you. (You shoudnt)
Detection Guides
Alerting and Detection Strategy guide by Palantir
Mitre CAR - The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model.
CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.
Crafting the Infosec Playbook: Crafting Queries- pg. 174
Netflow
Crafting the Infosec Playbook: Hustle and NetFlow - pg. 129
DNS
Crafting the Infosec Playbook: DNS- pg. 135
Web and Web Proxies
Crafting the Infosec Playbook: Web Proxies- pg. 145
Intelligence
Crafting the Infosec Playbook: Applied Intelligence - pg. 158
Detection Use Case Collections
If you ever want to take the easy way of development, and simply purchase search rules or copy some that are existing on other platforms, there are a few places available on the web. Many poopular SIEMs have sets of rules included in the software. For more, please review the Event Detection section.
C.A.R. Cyber Analytics Repository - A knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model.
If you are looking to simply purchase use cases from a market place, the foremost of them is SOCPrime. They even have a bounty program for their searches. If you come up with a useful and unique search, you can sell it to them for a tidy profit!
Detection Use Case Testing
threatest - Threatest is a Go framework for testing threat detection end-to-end.
Threatest allows you to detonate an attack technique, and verify that the alert you expect was generated in your favorite security platform.
Detection Use Cases by Category
pageDNSpageHTTP(S)pageEmailpageCommand LinepageAuthentication/LogonpageGeneral Network TrafficpageUser Behavior monitoringLast updated