What is a detection?¶
A detection (sometimes called a correlation rule) defines and finds patterns and specific events in your data. A huge volume of event logs moves through your system, and detections help identify events and combinations of events that might be the result of a security breach or system error.
Important
- The possibilities for your detections depend on your Correlator configuration.
- All detections are written in TeskaLabs SP-Lang. There is a quick guide for SP-Lang in the window correlation example and additional detection guidelines.
What can detections do?¶
You can write detections to describe and find an endless combination of events and patterns, but these are common activities to monitor:
- Multiple failed login attempts: Numerous unsuccessful login attempts within a short period, often from the same IP address, to catch brute-force or password-spraying attacks.
- Unusual data transfer or exfiltration: Abnormal or large data transfers from inside the network to external locations.
- Port scanning: Attempts to identify open ports on network devices, which may be the precursor to an attack.
- Unusual hours of activity: User or system activities during non-business hours, which could indicate a compromised account or insider threat.
- Geographical anomalies: Logins or activities originating from unexpected geographical locations based on the user's typical behavior.
- Access to sensitive resources: Unauthorized or unusual attempts to access critical or sensitive files, databases, or services.
- Changes to critical system files: Unexpected changes to system and configuration files
- Suspicious email activity: Phishing emails, attachments with malware, or other types of malicious email content.
- Privilege escalation: Attempts to escalate privileges, such as a regular user trying to gain admin-level access.
Getting started¶
Plan your correlation rule carefully to avoid missing important events or drawing attention to irrelevant events. Answer the questions:
- What activity (events or patterns) do you want to detect?
- Which logs are relevant to this activity?
- What do you want to happen if the activity is detected?
To get started writing a detection, see this example of a window correlation and follow these additional guidelines.