Detections

lol this was fun too

the entire detection pipeline

so basically i started Detections work to complete the SOC pipeline (agent -> events -> detections)
and since i have no rule engine setup yet so i hardcoded a Sus Process rule in detection function
it bascially checks events within a time window of 30 seconds and checks their name for sus process names (which is just an array for now)

and the detection function runs on a Background Scheduler every 30 seconds in backend (not agent, i dont want)

and after that it stores the detection in the Detections table which stores things like: Rule Name, Triggered Events, Context, Status, etc

and the end it is displayed beautifully (i love this so much T___T) on the dashboard

thingys made

1. Backend:

• Detection model, schemas, etc
• /detections/ - gives list of all detections
• /detections/{id} - gives the specific detection

1. Dashboard:

• /detections - shows the all the detections in a table, needs more stuff like filter
• /detections/[id] - shows detection detail (looks REALLY good)

Next

see the obvious next step is a rule system to store detection rules but i wont do that, see i am planning to add 2 types of rules just like all the SOC, they are: directing matching rules and threshold based rules
and i will build both at once but there is nothing yet which can be used with threshold based rules, and i dont want to edit the rule system again and again
so i am planning to make authentication based events first and then work on rules, then process events can be tested with direct matching rules and authentication events can be tested with threshold based rules like SSH Brute force attack