Throughout the course of my career working in various blue team roles, I’ve noticed a major disconnect in the terminology that is used in attempt to describe the various components of threat detection. In this post, I would like to propose some defintions for some of these terms. I hope they might provide other professionals with a common reference for when talking about threat detection.

Data Source

Software, systems, services and other information assets that produce events in the form of logs or telemetry. Threat Detection is typically only concerned with data sources that are of security interest (Sysmon vs. Perfmon). Event

Activity that occurs on a data source that is processed, transmitted, and/or stored for real time or future analysis. Examples:

  • A user authenticates into an application
  • An endpoint process is started
  • A database record is updated
  • A network connection is established
  • A USB device is plugged in
  • User calls the helpdesk to report that their workstation is performing unusually poorly

Event Pipeline

One or more systems responsible for transmitting events from data sources to one or systems responsible for processing and/or storing events.

Alert

The output of one or more events that trigger on a predefined set of criteria or logic that warrant further analysis through automation and/or human intervention.

Alerts are usually driven by events sourcing from data sources but can also be human-generated (e.g. a user reported phishing message). The criteria or alert logic that results in a data source-driven alert is often referred to by a signature, query, search, rule, policy, pattern, report, or correlation. Examples:

  • An endpoint process is observed leveraging a technique associated with a known bad threat actor
  • A user downloads a file whose hash matches that of known malware
  • A privileged user successfully authenticates to an application from an unusual IP address at an unusual time of day

Incident

One or more security events and/or alerts that together, identify a threat that actively poses a risk to the confidentiality, integrity, or availability of an organization’s information assets or services.

Detection Use Case

Strategic and business-driven criteria that aims to mitigate a risk or threat to an organization through the use of detective controls where preventative controls do not exist or are known to fail. A use case defines who or what must be detected, where it will be detected, when it should be detected (priority), and why it’s important. Detection use cases are commonly solved through one or more implementations of detection content.

Detection Content

A tactical solution aiming to satisfy all or a portion of a detection use case. Detection content consists of the documentation, alert logic, data enrichment, automation, and an output for human or systematic consumption. This term is usually described as an “alert” which is type of detection content output.