- Print
- DarkLight
What are Detection Chains?
Detection Chains in DataBee enable you to create and manage complex monitoring queries. These chains are designed to generate high-fidelity security findings based on multiple correlated instances of malicious activity. It's mainly based on queries over the existing activities in the data lake.
You start by creating individual queries, by filtering various parameters from OCSF tables. Each query which is referred to as the link is one such specific filter combination that could be tailored to your monitoring needs. Multiple links can then be grouped to form a chain, allowing you to detect more meaningful patterns and correlations within your data. Each chain consists of one or more links, which try to match those entities that are present in all the queries, thus generating a unique security finding.
Each detection chain runs on its schedule, according to its configured run frequency.
With Detection Chains, you can define multiple chains to monitor different aspects of your system comprehensively. This feature enhances your ability to identify and respond to important events by producing findings that highlight significant sequences of incidents.
Creating a Detection Chain in DataBee
Navigate to Security > Active Detections.
Click on the Detection Chains button which takes you to the “Detection Chains” page.
Click + Create New to create a new chain.
The “Create Detection Chain page” will appear. Now fill in the following fields with suitable data:
Title: provide a suitable name for your detection chain
Status: specify the preferred status alert from the dropdown list
Stable: the rule didn't produce any obvious false positives in multiple environments over a long period of time
Test: the rule doesn't show any obvious false positives on a limited set of test systems
Experimental: a new rule that hasn't been tested outside of lab environments and could lead to many false positives
Deprecated: the rule is to replace or cover another one. The link between both rules is made via the related field.
Unsupported: the rule can not be used in its current state (special correlation log, home-made fields, etc.)
Description: write a brief description of the purpose of the chain
Tags: enter specific keywords that describe your chain
Severity: select the severity level from the dropdown list
Run Frequency: set the duration in hours (0-24) at which you want the chain to run. This determines how often the chain will execute
Links: all the links added to this Detection chain will be displayed here
Building a Link or Query
Click the Build button to create a new link or query.
Create Link For: select the entity for which you want to create the link
Search Parameters: choose the preferred parameters from the Add Parameter dropdown. Select the desired values for each parameter.
When done, click Add Link to create a new link.
Click the From Saved Search button to display your search history. Click Load to add it as a link.
Click the From Existing Link button to select from the links you have previously created.
After adding the necessary links, click Create. The newly created chain will be displayed on the Detection Chains page.
Managing Chains
To navigate to the “Detection Chains” page, click on the “Security” drop down then “Active Detections”.
To modify a chain, click on the Edit icon under the ‘ACTIONS’ column next to the chain to be modified.
To delete a chain, use the Delete icon under the ‘ACTIONS’ column corresponding to the chain you wish to delete.
Filtering Chains
In the "Detection Chains" page, you can narrow down the displayed chains by filtering them.
Under the ‘Filter Parameters’ section, choose the values you want from the dropdown menu for each parameter.
You can add custom parameters if needed by selecting them from the Add Parameter dropdown.
Once you have set your filter parameters, click the Apply button. The table will update to display only the chains that match your specified criteria.
To clear your current filtering preferences and reset the table to its default state, click the Reset button.
Customize the number of results per page using the pagination dropdown button.
By using these filter options, you can efficiently narrow down the detection chains to those that are most relevant to your needs.
Passed Parameters
In the "Detection Chains" page, the passed parameters feature allows you to use a field from the records matching one one link as additional search criteria in other links in a detection chain. Passed parameters are associated with a particular field within a table and are given a name or label that will be used in the consuming link. To consume the passed parameters simply surround the label with percent symbols.
Existing chains are backward compatible and can be modified to take advantage of the new capabilities.
Example use of Passed Parameters In Detection Chains
Consider the use case of identifying users that have clicked on email links and have caused a system compromise. Assume your email security and threat detection system generates email url activity events. Each event contains a url.hostname. Using the passed parameters feature, we can capture all url.hostnames received in the last week and check those against recent HTTP activity. In the example, the passed parameter for url.hostname is called URL_received_in_email. The passed parameter is leveraged in the link related to http_activity as part of the filter looking at the url hostname in the HTTP request. A third link based on the detection_finding table, unrelated to the passed parameter, is used to further filter results to those users and devices that also have a recent high priority detection finding.