Common attributes of rules, signatures, and alerting engines

Contents

Common attributes of rules, signatures, and alerting engines#

First, a cursory review of common rule-based approaches to detecting malicious activity.

Streaming or batch-retrieval detection engines#

../_images/84-stream-or-batch-detection.png — Fig. 84 Streaming or batch-based detection engine#

../_images/85-correlation-detection.png — Fig. 85 Correlation on detection engine#

This is the most common example in use today. This is what most SIEM and EDR engine implementations look like, with SIEM tending to be batch-retrieval and EDR streaming engines. Other technologies that employ this model are network Intrusion Detection Systems (IDS).

Active host scanning#

../_images/86-active-scanning.png — Fig. 86 Active host scanning#

This is essentially the OSQuery model, where queries are used to actively retrieve information from hosts. What is less frequently seen is this as a distributed model and built on top of a scheduled recurring cadence (as opposed to just manual runs). This opens this up to be a viable option to alerting as opposed to just triage and threat hunting.

Triggered scanning#

../_images/87-triggered-scanning.png — Fig. 87 Triggered scanning#

Triggered scanning refers to a reactive approach based on some satisfied criteria. A common usage of this is to perform YARA scanning on patterns or attributes of static files or memory snapshots. These findings can then be used to generate alerts or events.