Skip to content

Threat Detection: Overview

By now, you should have come across alerts, events, and stories during Chapters 1 and 2, either through exploring asset pages or vulnerabilities. We now want to begin building an understanding such that:

  • Discover recent and noteworthy activity occurring within the environment;
  • Identify which assets, zones, or communications may warrant further investigation;
  • Understand how CTD uses rules, baselines, and signatures to generate detections;
  • Determine where to begin an investigation when suspicious activity is identified.

  • Navigate to Threat Detection > Overview.

  • Ensure that the time series is set to Last Year (located in the top-right corner).

  • Using the information available on the Threat Detection Overview Page, determine:
    • The total number of Open Alerts, Events, and Open Stories
    • The most common type of alert
    • Most recent and critical alerts
    • The most alerted zones
  • What information on the Overview dashboard is most helpful? What caught your attention the most?
  • If you were viewing this page with the intention of remediating an alert, which of the presented modules would you be most likely to choose to start at?

  • CTD uses several different rule types to determine when alerts should be generated. These rules can be reviewed under Threat Detection > Rules > ....
titledescription
Zone RulesDefine which zones are expected to communicate with other zones. Zone rules should be validated.
Baseline RulesDefine normal network behavior such as typical communication frequency/patterns, timing, protocols, and packet characteristics.
Network SignaturesDetect known suspicious or malicious network activity, similar to network-based intrusion detection signatures. They are used to identitfy behaviors such as scanning, explotataion attempts, or other known attack techniques.
YARA RulesDetect known malicious files or file characteristics using pattern mathcing against known indicators to identity malware and suspicious payloads.
Auto ResolveAutomatically closes alerters that meet predefined conditions, which helps to reduce alert fatique by resolving expected or previously reviewed activity.
  • Which rule type would be most useful for identifying communications between zones that should not be interacting?
  • How might Auto Resolve be helpful for certain alerts?
  • Which rule type would you expect to generate the most environment-specific detections, and why?