Detection Analytics

Organizations often grapple with undetected breaches, the complexity of SIEM management, and the difficulty of maintaining effective customization amidst ever-evolving vendor formats. These issues create detection gaps, making it arduous to derive valuable insights from high-volume data.

DataBee makes security data more accessible and understandable for professionals at all levels. Ingesting data from multiple sources, DataBee enriches, correlates, and normalizes it, storing the processed information in your data lake and forwarding it to your SIEM for advanced analytics.

DataBee's Detection Analytics complement the SIEM by identifying threats through threat detection based on vendor-agnostic sigma rules. For a detailed explanation, take a look at the Sigma Detections article.

Key Benefits

SIEM Cost Optimization- You can easily deploy DataBee security analytics to apply detection logic over high-volume logs to a cost-effective data lake rather than paying to ingest these logs into your SIEM. This ensures that valuable space in your SIEM is reserved for high-priority incidents.

Reduce Analyst Fatigue- DataBee's suppression capability helps filter out less important security findings. This targeted approach significantly reduces analyst fatigue by ensuring more focus on critical incidents, enhancing overall efficiency in threat management.

Standardized Detection Coverage- DataBee facilitates importing Sigma detection rules from GitHub ensuring the detection capabilities to stay current with the latest threat intelligence. DataBee converts data into the OCSF format enabling seamless detection across multiple sources and source formats.

DataBee Security

Navigate to the top of the UI and click on the Security button. A drop-down menu will appear with three sub-pages: DataBee Findings, Active Detections, and Suppress List.

DataBee Findings

The DataBee Findings page is specifically designed to showcase findings from both Detection Streams and Detection Chains. Similar to the Search page, you can filter findings using parameters such as event time, activity ID, severity ID, etc. Add additional parameters to the page, by selecting from the Add Parameter dropdown list. Click on the Search button to view a histogram and a table displaying filtered security findings. You can click on the search icon, under the 'DETAILS' column for viewing the entity details.

You can personalize the columns displayed by clicking on the Customize button. Clicking Customize redirects to the "Configure User Column Layout" page. On this page, all selected columns are visible. To add a column, select from the dropdown list under 'Add column' and click Add. To delete a column, click on the Remove button corresponding to the column name. After making the necessary modifications, click on Update to apply the changes. Click on the Columns dropdown button to view or toggle the currently selected columns.

You can copy your current search as a string by clicking on the Copy Search button. This can be entered in the query field while creating dashboard widgets.

The Save Search button is used to save your search queries for later use. On clicking, you will be prompted to a dialog box with the search query already filled in. Now you can provide a suitable query name to save it. You also have an option to save a particular search result as default, by clicking on the Save as Default button.

Click on the Snowflake worksheet button to perform advanced searches. Click here to learn more about Raw SQL Search.

Active Detections

Active Detections comprise both Detection Streams and Detection Chains.

Detection Streams

Click Detection Streams to learn more.

Detection Chains

Please refer to the Detection Chains article for detailed information.

Suppress List

DataBee introduced suppressions to fine-tune the security findings generated by active detection streams. Suppress lists provide a focused approach to managing and addressing security findings. It prevents specific events from being flagged as security findings. This enables you to exclude certain events from being counted in cumulative risk calculations. This helps you to selectively ignore specific findings, reducing their influence on overall risk assessments and allowing for more targeted security analysis. Suppression logic is applied only to DataBee-generated security findings.

Click on the Security button located at the top of the UI. From the dropdown menu, choose the Suppressions option. The "Suppress List" page exhibits a list of all the configured suppressions.

To craft a new suppression, click on the Add New Suppression button. 

The "Add Suppression" page is organized into three key sections: Action, Enforcement Duration, and Matching Criteria.

Action 

From the Action dropdown, choose what you would like to happen to a finding that matches the suppression criteria. Drop will prevent the security finding from being produced. Informational will force the severity of the finding to be informational regardless of what is set in the rule. Forward to Data Lake Only will send the security finding to the configured data lake but not the configured S3 bucket.

Enforcement Duration and Schedule

Set the end date and time in UTC for the suppression to remain active.

Scheduling: Schedule suppressions for specific periods by selecting weekdays from the dropdown list. Fill in the provided fields with the start and end hours of the suppression in UTC.

Criteria for Matching

Choose from a variety of criteria in the dropdown list, including users, devices, vendors, products, titles, analytic names, descriptions, or messages. Selecting these criteria enables you to precisely pinpoint where the suppression should be applied, ensuring a targeted and effective approach. For a suppression match to occur a finding must meet all matching criteria. A given matching criteria (i.e., Users) may contain a list of values to match on. If any value in that list matches the criteria is considered as matching. Using combination of criteria allows you to configure both highly specific or very general suppression rules.