Alerts

Design a custom response strategy

Two things should happen when an offensive action, such as a Verified Security Test, runs on an endpoint: it should be prevented and an alert should fire to a remote system where analysts can triage it.

Triaging is the process of separating real events from false positives and resolving any issues.

About alerting

Endpoints often run two agents, an EDR for preventing malicious behavior and a logging utility for sending all events to a SIEM. An alert management strategy can revolve around either.

If EDR, alerts are sent to a dashboard and often proxied into a SIEM (example: Splunk), ticketing system (example: JIRA), instant messenger (example: Slack) or infrastructure alerting system (example: Pager Duty). Analysts may triage alerts from any or multiple of these sources.

If SIEM, alerts are stored in a database holding all events (alerts and other) collected from all endpoints through the separate logging agent. Analysts triage alerts by correlating events with detection rules through a process known as detection engineering.

Alert strategy

When deploying Detect at scale it is important to adjust your alert management strategy to avoid a large number of false positives. Partner integrations offer several built-in options which you can incorporate in your larger plan.

EDR

Most vendors support exceptions or alert suppression when an event matches a particular signature, such as sourced from a particular process or file. Detect runs all tests from a signed executable which has several characteristics to build an exception around: process name, file location, file signature, file hash, test directory, test hashes, etc. Depending on vendor, you can select one or many of these characteristics and either mark alerts as informational or ignored.

SIEM

Every Verified Security Test has several identifiable characteristics, most prominently the file hash. These characteristics can be automatically forwarded - as an event - to a SIEM immediately after execution. From here, these events can be matched to any alerts uncovered through the detection engineering process - and ignored as false positives. The correlation method used will depend on the rule framework in place (example: Sigma) and the process used to move matches into a ticketing system.