This training session will demonstrate the power and flexibility of using composite detection rules to enhance your security operations. You will learn how composite detections aggregate multiple, often low-confidence, signals from various sources into a single, high-fidelity alert. This advanced approach solves the common problem of alert fatigue from noisy events and provides security analysts with a richer, more contextualized narrative of potential threats.
Walkthrough three distinct applications: building a highly targeted rule to identify a specific attacker technique (TTP), creating a broader rule that groups detections by MITRE ATT&CK® techniques for modularity, and deploying a general hunting rule to flag suspicious hosts. Ultimately, this session will show you how to create a more efficient and effective security posture, simplifying investigations and paving the way for future AI-driven security automation.
In this session, you will learn how to:
- Aggregate Signals to Reduce Noise and Add Context: Combine multiple low-confidence detections on a single host into one high-confidence alert that tells a more complete story of an incident.
- Detect Specific Attacker TTPs: Build highly targeted rules to identify known malicious behavior chains, such as a credential change followed by a suspicious email deletion.
- Create Modular, Behavior-Based Rules: Develop flexible rules by grouping detections into behavioral "buckets" (e.g., MITRE ATT&CK® techniques) that can be easily updated without rewriting your core logic.
- Enable Proactive Threat Hunting: Use broad composite rules as a powerful hunting tool to aggregate various suspicious events and uncover novel or unexpected patterns of malicious activity.
Have questions about this session? Drop a post below or in the SecOps Forum.