Types of detection analytics
In the ESCU app, detections have the following categories:
Each yaml file for the detection in the security_content Github repository has a field called type. These types drive the workflow on the product:
| Type | Description | Example |
|---|---|---|
| TTP | Designed to detect a certain adversary tactic, technique, or procedure. | Attempted Credential Dump From Registry via Reg exe |
| Anomaly | Triggers on behavior that is not normally observed. Anomalous might not be explicitly malicious but can be suspect. For example, detection of executables that are not run before or a process using the network which does not normally use the network. | Add Default User And Password In Registry |
| Hunting | Increases the risk of an asset or entity but tends to be too noisy to generate a notable event by itself. It leverages aggregated risk from various other detections to produce a notable. Also known as hunting queries. | 7zip CommandLine To SMB Share Path |
| Correlation | Correlates various detection results to identify a high-level threat and generate a notable. | Living Off The Land Detection |
| Baseline | Helps in the maintenance of the analytic or create a baseline of data that detections can leverage. | Baseline Of Cloud Instances Launched |
| Investigation | Searches that leverage tokens and are used in the pre-built panels shipped by ESCU for Investigative Workbench in Splunk Enterprise Security. | AWS Investigate Security Hub alerts by dest |
The following table displays how each type is configured out of the box in the ESCU app.
| Analytic type | Create notable | Create risk and threat objects | Triggers playbook | Tied to a dashboard | Runs on CRON schedule | Enabled by default |
|---|---|---|---|---|---|---|
| Hunting | No | No | No | Yes | No | No |
| TTP | Yes | Yes | Yes | No | Yes | No |
| Baseline | No | Yes | Yes | No | Yes | No |
| Anomaly | No | Yes | No | No | Yes | No |
| Correlation | Yes | No | Yes | No | Yes | Yes |
| Investigation | No | No | No | Yes | No | No |