2d. Capability#
This refers to the internal capabilities of the team and their respective technologies, whether it is expertise of the individuals or access to required resources. Additionally, capability also determines the complexity involved in conducting the research and building it, so it’s not just a matter of whether it is achievable or not, but rather, it is a consideration across the spectrums of complexity and resulting valuation.
Features#
Starting with the target technology that will execute the rule or defensive capability, such as the Elastic stack, we can consider what it can do and how it does it. If we’re writing a rule, do the existing rule types support the intended approach? Are the capabilities to do so built in and simple, or do they need configuration or feature expansion?
Does the native data source provide all of the data? Is there a built-in integration to support the use case? Perhaps
you may need to leverage additional features such as OSQuery and YARA to accomplish the detection. As alluded to earlier,
there are often multiple ways to attain the outcome, but is the cost and complexity worth it. As a specific example,
would writing a bad rule that had a really expensive join be worth the alert it generates?
Approaches#
This was slightly discussed under features, where the approach can be different approaches to logic formulation within a dedicated query, changing the rule type used, or possibly even changing the data source targeted for search. It could mean leveraging a different feature altogether, such as a machine learning job or using vector search to determine similarity.
Rule types#
Rule types really vary across different platforms and may have a different meaning altogether, depending on the implementation. Essentially there are major differences in how the rule type is constructed and executed, whether based on configurable parameters within the rule or not.
Language paradigms#
The implications of the query language used within a rule or signature are similar to the rule type consideration, however it exists within the specific rule itself. Most often however, language syntax is just the medium for conveying functionality under the hood, but the implications should be known and considered before making a decision. Basically, just because something can be detected with specific logic, doesn’t mean it is the most viable or performant approach.