This article provides overview on different ways to create detections or signals.
Security signals are sent to the Resolution Intelligence Cloud when a high-potential threat is detected in the security telemetry data of Chronicle.
There are three ways to create detections, or signals:
Outliers in security data are detected by creating detection rules using the YARA-L language. These rules are constructed on top of Chronicle’s telemetry data to find detections for tactics and techniques found in the MITRE ATT&ACK security framework and send signals to the Resolution Intelligence Cloud when the conditions in the rules are satisfied. All the detection rules created are associated with the content pack and are injected into the Chronicle for use.
See Detection rules for more information.
You can create four types of models to generate model-based signals or detection. Once the model is created, it will be trained on the past 60-day log data. After learning the behavioral patterns from the data, the model is applied to everyday log data to find outlier behavior in the latest telemetry data. If outliers are detected in the Chronicle, these are sent as detection to the Chronicle, and from the Chronicle, these are converted into signals and sent to the Resolution Intelligence Cloud.
See Behavioral models for more information.
Another way to detect signals is through threat feeds. You can ingest various kinds of IOCs (Indicators of compromise), such as high-risk IPs, domains, hashes, registry keys, and so on, into the Chronicle to analyze risks in large volumes of security telemetry. You can also exclude the IPs, domains, or registry keys that you do not want Chronicle to display as detection by adding them to the reference list and linking to the threat feed you are creating.
See Threat feeds for more information.