Attack Detective enables you to run an automated investigation in your Data Planes using all relevant detection rules from the world's largest collection. You can verify thousands of hypotheses automatically to understand what is really happening in your organization.
There are three main processes in Attack Detective:
Data Audit – during the Data Audit, we automatically analyze log data collected in your Data Planes to determine your MITRE ATT&CK coverage and potential gaps in log sources.
Scan – scanning involves querying your logs for the selected period with translations of all Sigma rules from the SOC Prime Platform that are relevant to your Data Planes. When running a scan, you can select one of the following scan types based on your objective:
Rules for Alerting – allows you to discover the best detection rules for your SIEM, seamlessly configure them and deploy to generate low-noise, high-value alerts.
Threat Hunting – allows you to search and identify threats by automating routine threat hunting tasks and correlating findings with the MITRE ATT&CK framework and CTI.
Content Audit – during the Content Audit, we map your rules and queries to the MITRE ATT&CK framework using SOC Prime AI models.