To start working with Attack Detective, you need to check the following requirements and make sure you are all set up:
You should have at least one Data Plane configured. To set up a Data Plane, click your account icon > select Platform Settings > Data Planes. When creating a Data Plane, ensure the Attack Detective checkbox is selected as the place to use the integration. Follow these guidelines on how to set up a Data Plane integration for your platform.
Optionally, you can select specific Tenant(s) that group your Data Planes to efficiently organize and manage integrations with your SIEMs, EDRs, or Data Lakes. To create or manage a Tenant, click your account icon > select Platform Settings > Tenants. Follow these guidelines on how to create and manage Tenants to group your Data Planes.
Set up a Custom Field Mapping profile to ensure detection query fields match the data schema in your SIEM, EDR, or Data Lake environment when using non-standard tables/indices or fields. To create Custom Field Mapping, use these guidelines.
When creating a Data Plane profile in the Profile Details section, select the Attack Detective checkbox and then select Default Custom Field Mappings you would like to assign to this Data Plane. The selected Custom Field Mapping will be automatically applied to all your content when working with Attack Detective.
You should have a Custom Repository configured to create custom threat hunting scenarios based on your detection content or seamlessly manage content from the Threat Detection Marketplace per scenario. To create or manage Custom Repositories, go to CI/CD > select Repositories. Follow these guidelines on how to create and work with Custom Repositories.