Login
    Contents x
    Detection Chains
    • 21 Aug 2024
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Detection Chains

    • Updated on 21 Aug 2024
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    What are Detection Chains?

    Detection Chains in DataBee enable you to create and manage complex monitoring queries. These chains are designed to generate high-fidelity security findings based on multiple correlated instances of malicious activity. It's mainly based on queries over the existing activities in the data lake.

    You start by creating individual queries, by filtering various parameters from OCSF tables. Each query which is referred to as the link is one such specific filter combination that could be tailored to your monitoring needs. Multiple links can then be grouped to form a chain, allowing you to detect more meaningful patterns and correlations within your data. Each chain consists of one or more links, which try to match those entities that are present in all the queries, thus generating a unique security finding.

    Each detection chain runs on its schedule, according to its configured run frequency.

    With Detection Chains, you can define multiple chains to monitor different aspects of your system comprehensively. This feature enhances your ability to identify and respond to important events by producing findings that highlight significant sequences of incidents.

    Creating a Detection Chain in DataBee

    1. Navigate to Security > Active Detections.

    2. Click on the Detection Chains button which takes you to the “Detection Chains” page.

    3. Click + Create New to create a new chain.

    4. The “Create Detection Chain page” will appear. Now fill in the following fields with suitable data:

      • Title: provide a suitable name for your detection chain

      • Status: specify the preferred status alert from the dropdown list

        • Stable: the rule didn't produce any obvious false positives in multiple environments over a long period of time

        • Test: the rule doesn't show any obvious false positives on a limited set of test systems

        • Experimental: a new rule that hasn't been tested outside of lab environments and could lead to many false positives

        • Deprecated: the rule is to replace or cover another one. The link between both rules is made via the related field.

        • Unsupported: the rule can not be used in its current state (special correlation log, home-made fields, etc.)

      • Description: write a brief description of the purpose of the chain

      • Tags: enter specific keywords that describe your chain

      • Severity: select the severity level from the dropdown list

      • Run Frequency: set the duration in hours (0-24) at which you want the chain to run. This determines how often the chain will execute

      • Links: all the links added to this Detection chain will be displayed here

        Building a Link or Query

    5. Click the Build button to create a new link or query.

      • Create Link For: select the entity for which you want to create the link

      • Search Parameters: choose the preferred parameters from the Add Parameter dropdown. Select the desired values for each parameter.

        When done, click Add Link to create a new link.

    6. Click the From Saved Search button to display your search history. Click Load to add it as a link.

    7. Click the From Existing Link button to select from the links you have previously created.

    8. After adding the necessary links, click Create. The newly created chain will be displayed on the Detection Chains page.

    Managing Chains

    To navigate to the “Detection Chains” page, click on the “Security” drop down then “Active Detections”.

    • To modify a chain, click on the Edit icon under the ‘ACTIONS’ column next to the chain to be modified.

    • To delete a chain, use the Delete icon under the ‘ACTIONS’ column corresponding to the chain you wish to delete.

    Filtering Chains

    In the "Detection Chains" page, you can narrow down the displayed chains by filtering them.

    1. Under the ‘Filter Parameters’ section, choose the values you want from the dropdown menu for each parameter.

    2. You can add custom parameters if needed by selecting them from the Add Parameter dropdown.

    3. Once you have set your filter parameters, click the Apply button. The table will update to display only the chains that match your specified criteria.

    4. To clear your current filtering preferences and reset the table to its default state, click the Reset button.

    5. Customize the number of results per page using the pagination dropdown button.

    By using these filter options, you can efficiently narrow down the detection chains to those that are most relevant to your needs.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence