Dynamic Incident Response

1. Detect Activity

The detect activity is an important phase in the model, during which organizations identify potential incidents using various information sources and analysis techniques. As incident response analysts, we spend a significant portion of our time in detection activities, searching for signs of compromise and potential threats that require investigation.

DAIR incident response workflow highlighting the Detect phase in a linear process leading to a circular response actions cycle
Figure 1. Detect Activity Waypoint

Detection Methodologies

Modern detection programs employ multiple methodologies to identify threats, each with distinct strengths and limitations. Understanding these approaches helps analysts select appropriate techniques for different threat scenarios.

Signature-Based Detection

Signature-based detection uses known patterns to identify threats, such as file hashes, byte sequences, malicious domains, network protocol and port number indicators, etc. This approach efficiently detects known malware and attack patterns, with generally low false positive rates. Automated systems excel at signature-based detection, processing data quickly to identify matches.

The primary benefit of signature-based detection lies in its efficiency and accuracy for known threats. Signatures provide high-confidence indicators that an attack has occurred, enabling rapid automated responses such as quarantining files, blocking network connections, or alerting analysts. The rapid processing speed of signature matching allows organizations to handle large volumes of data across many potential threats.

The primary limitation of signature-based detection is its reactive nature. New malware variants, zero-day exploits, and novel attack techniques evade signature detection until researchers analyze samples and create matching patterns. Attackers who reverse-engineer detection signatures can modify their tools to avoid matches, rendering signature-based systems ineffective against sophisticated adversaries.

Organizations relying solely on signature-based detection are likely to miss novel threats.

Behavioral Detection

Behavioral detection monitors actions rather than static indicators, identifying threats by what they do rather than what they look like. This approach establishes baselines of normal activity and flags deviations that warrant investigation.

Behavioral detection excels at identifying threats that signature-based approaches miss:

  • Mass file encryption: Identifying patterns characteristic of ransomware

  • Unusual access patterns: Reporting off-hours authentication or access to sensitive resources in atypical ways

  • Living-off-the-land techniques: Characterizing legitimate tools used in malicious ways

  • Insider threats: Recognizing authorized user misuse of access privileges

Behavioral detection requires careful tuning to balance detection coverage with false-positive rates. Analysts should work with their teams to establish accurate baselines that reflect normal organizational operations.

Scoping Baselines to Business Units

For large networks, a single organization-wide baseline is often too broad to produce meaningful anomaly detection. Different business units operate in fundamentally different technical environments, and averaging across them dilutes the very differences that make anomalies visible.

Consider a large defense contractor with separate divisions for aeronautics, mission systems, and corporate IT. The aeronautics division generates heavy CAD/CAM file transfers and communicates with specialized supply chain partners. The mission systems division operates classified networks with strict access controls and minimal external connectivity. Corporate IT runs standard business applications with predictable Office 365 and SaaS traffic patterns. A baseline built across all three divisions would define "normal" so broadly that meaningful deviations disappear into the noise.

Three business units with distinct network baselines showing different software usage and traffic patterns for each
Figure 2. Defense Contractor Baseline by Business Unit

Healthcare organizations face similar challenges. Research laboratories generate large data transfers to cloud compute resources and access specialized databases, while clinical operations produce predictable electronic health record (EHR) access patterns with periodic spikes during shift changes. A unified baseline across both groups would either flag routine research transfers as anomalous or fail to detect unusual access in the clinical environment.

Scoping baselines to business units or functional groups produces tighter definitions of normal activity. Tighter baselines make genuine anomalies more visible and reduce false positive rates, allowing analysts to focus investigative effort on events that actually warrant attention.

AI and Machine Learning Detection

Machine learning enhances behavioral detection by scoring events and correlating patterns at scale. Unsupervised learning algorithms establish baselines automatically, while supervised models classify events as malicious or benign based on training data. These capabilities prove particularly valuable for high-volume telemetry analysis and detecting subtle patterns across distributed systems.

Supervised models learn from labeled examples where analysts have identified events as malicious or benign. These models excel at detecting known attack patterns but can struggle with novel techniques not present in the training data. Unsupervised models learn what normal behavior looks like without requiring labeled examples. This approach better identifies unknown threats but generates more false positives when legitimate activity deviates from established patterns.

Organizations implementing ML-based detection should understand the limitations of these systems, including model drift, concerns about training data quality, and evasion techniques.

Model drift occurs as attacker techniques evolve and organizational environments change, gradually degrading detection accuracy. A model trained on last year’s attack patterns may fail to recognize this year’s techniques, particularly as adversaries adapt their methods to evade detection. Environmental drift contributes to this problem: as organizations adopt new technologies, change business processes, or shift workforce patterns, the baseline of "normal" activity shifts.

Training data quality impacts detection accuracy and directly influences what ML-based detection can achieve. Models trained on incomplete datasets will fail to characterize attack techniques absent from training data. Further, training data contaminated with mislabeled examples teaches models to make incorrect classifications. Supervised models struggle to identify attack patterns they have never encountered.

In model evasion attacks, adversaries craft inputs designed to bypass ML classification. Attackers who understand how detection models work can modify their techniques to fall just below detection thresholds or exploit deficiencies in model training. Model evasion attacks have been applied to evade a wide range of classifiers, including malware detection, spam filtering, and image recognition systems.

Human-in-the-loop (HITL) approaches address these limitations by combining machine efficiency with human judgment. Rather than treating ML outputs as definitive determinations, effective detection programs use machine learning to surface high-priority signals for human review. Analysts bring contextual understanding that models lack: knowledge of recent organizational changes, awareness of ongoing projects that might explain unusual activity, and intuition developed through experience investigating similar alerts.

HITL workflows also create feedback loops that improve model performance over time, as analyst decisions on flagged events provide labeled data for model retraining. Where possible, organizations should design their detection workflows to leverage ML for initial triage and prioritization while preserving human decision-making authority for final classification and response actions. This approach allows human expertise to contribute to ongoing improvements in models and classifiers.

Hybrid Detection Approaches

Effective detection programs combine multiple methodologies to leverage their complementary strengths. By integrating signature-based, behavioral, and machine learning techniques, organizations can leverage the strengths of each approach to build robust detection capabilities while minimizing false positives and false negatives. Many modern threat detection tools integrate signature matching, behavioral analysis, and machine learning within a single platform.

Detection logic increasingly maps attacker tactics, techniques, and procedures to frameworks like MITRE ATT&CK. [1] By focusing on adversary behaviors rather than specific indicators, organizations can create detection rules that remain effective even as attackers modify their tools. Further, the detection method, whether signature-based, ML-based, or behavioral, becomes less important than the underlying technique being detected. When combined, analysts can use multiple detection methods to identify threats, increasing overall detection confidence and reducing the likelihood of false positives.

This layered approach provides defense-in-depth for detection: signatures catch known threats efficiently, behavioral analysis identifies novel techniques, and machine learning surfaces subtle patterns that might escape rule-based detection.

Active vs. Passive Detection

Detection activities fall into two primary categories: passive and active detection. Passive detection occurs when organizations learn about incidents through reports, whether from internal staff noticing unusual activity, external partners sharing threat intelligence, or automated alerting systems triggering notifications. This reactive approach, while necessary, often results in longer detection times and potentially greater impact on the organization.

Active detection, also known as threat hunting, involves proactively searching for Events of Interest (EOIs) within the environment. Threat hunting analysts analyze logs, network traffic, system behavior patterns, and other data sources to identify compromises that may have evaded automated detection systems. This proactive approach can significantly reduce Mean Time to Detect (MTTD), the duration between an incident’s initiation and its discovery by the organization.

Reducing MTTD remains an ongoing priority for incident response teams, as faster detection typically correlates with reduced incident impact.
The Tyranny of Infinite Choice

Incident response and threat hunting represent fundamentally different starting points for detection work, as noted by security researcher Faan Rossouw. [2] When responding to an incident, analysts begin with a defined indicator: an alert has fired, a user has reported suspicious activity, or a third party has notified the organization of a compromise. The starting point is given, and the investigation proceeds from that anchor.

Threat hunters face a different challenge: finding unknown threats without predefined indicators. No alert has fired. No system has flagged anything suspicious. The hunter stares at millions of log entries, thousands of systems, and hundreds of potential threat vectors, all while nothing appears obviously wrong. Rossouw calls this the tyranny of infinite choice: hunters face not only the question of what to investigate, but where to begin, how to prioritize, and why one hunting hypothesis deserves attention over countless alternatives.

Pyramid diagram ranking indicator types from hash values at the base to TTPs at the apex by difficulty for adversaries to change
Figure 3. The Pyramid of Pain

The Pyramid of Pain, created by David Bianco in 2013, provides a mental model that can help threat hunters escape this paralysis. [3] The pyramid arranges adversary artifacts by the amount of "pain" that changing them causes attackers. At the bottom sit hash values and IP addresses, which are trivial for adversaries to modify. At the top sit tactics, techniques, and procedures (TTPs), which represent operational methods that adversaries depend on and cannot easily abandon.

This model suggests that hunters should focus their limited time where it hurts adversaries most. Searching for known malicious hashes or IP addresses offers little value for human hunters since automated systems handle this efficiently at machine speed. Instead, hunters should move up the pyramid toward behavioral indicators: beaconing patterns that suggest command-and-control communications, suspicious process-creation chains where legitimate tools spawn each other unexpectedly, or lateral movement techniques that reveal adversary procedures.

The pyramid also reveals a practical tradeoff. Lower-level indicators, such as hashes, provide high-confidence detection with minimal false positives, but adversaries change them effortlessly. Higher-level indicators like TTPs require significant expertise to detect reliably, but they expose adversary tradecraft that persists across campaigns.

Skilled threat hunters recognize these tradeoffs and select their hunting focus based on strategic impact rather than tactical convenience.

Detection Data Sources

Effective detection leverages both technical and human data sources. Technical sources provide the data needed to identify malicious activity, while human sources offer institutional knowledge, context, and observations that automated systems might miss.

Technical Detection Sources

Detection depends on the technical infrastructure deployed during preparation activities. In Prepare Activity, we examined the deployment and configuration of detection infrastructure in detail. This section focuses on how analysts use these capabilities for threat detection.

Endpoint Detection and Response (EDR) provides host-level visibility, which is essential for detecting post-compromise activity. EDR telemetry reveals process injection attempts, credential dumping activity, persistence mechanism deployment, and suspicious parent-child process relationships. Analysts can query EDR platforms to hunt for indicators across managed endpoints and correlate endpoint activity with network-based detections. While no single EDR solution provides perfect protection, these platforms generate valuable data for incident detection and investigation.

Where endpoint systems provide focused insight into individual hosts, network monitoring provides broad visibility across the environment. Network Detection and Response (NDR) and flow data enable threat detection by analyzing network traffic attributes and communication patterns. Detection use cases include identifying C2 beaconing through connection timing analysis, detecting lateral movement through unusual internal traffic patterns, and flagging potential data exfiltration through anomalous outbound data volumes.

Network-based detection complements endpoint visibility by revealing attacker activity that spans multiple systems.

Security Information and Event Management (SIEM) platforms allow analysts to perform simple searches and more complex correlation-based detection across diverse log sources. Detection rules can identify attack patterns spanning multiple systems, such as authentication failures followed by successful login, privilege escalation sequences, or coordinated access to sensitive resources. SIEM tools like Splunk, Elastic Security, and Microsoft Sentinel provide powerful search capabilities that analysts can leverage for both alerting and threat hunting.

Security Orchestration, Automation, and Response (SOAR) platforms reduce Mean Time to Respond (MTTR) and risk by automating response to high-confidence alerts. When detection systems identify clear threats, SOAR tools can immediately quarantine endpoints, block malicious IP addresses, disable compromised accounts, and capture data for forensic analysis. This automation reduces attacker dwell time while freeing analysts to focus on complex investigations requiring human judgment. Analysts can leverage SOAR case management capabilities to track detection events through investigation, link related alerts, and document findings for future reference.

This is not an exhaustive list of technical detection sources. Email gateways, web proxies, cloud-native logging, Cloud Workload Protection Platforms (CWPP), and other specialized monitoring tools all contribute valuable data for detection activities. Organizations should use the platforms that provide the best visibility for threat detection in their specific environments.

RITA: Open Source Network Threat Analysis

Real Intelligence Threat Analytics (RITA) is a free, open-source tool that applies statistical anomaly analysis to network activity, identifying command and control communications that signature-based detection would miss. [4] RITA does not look for specific C2 framework signatures. Instead, it identifies behavioral characteristics common to most C2 tools: long connection durations, beaconing intervals, consistent packet sizes, unusual subdomain patterns, and other anomalies that distinguish attacker activity from normal network traffic.

This approach allows RITA to detect novel C2 frameworks that have never been observed, since new tools exhibit the same behavioral characteristics as established ones. Organizations can use RITA to supplement commercial detection tools, gaining access to statistical analysis capabilities that some NDR platforms lack entirely.

RITA analyzes Zeek log files, but this does not mean organizations need a full Zeek sensor deployment. Analysts can capture network traffic at a network edge location (ideally for twenty-four hours or longer), then convert the packet capture to Zeek logs using the zeek command-line tool, as shown in Listing 1.

Listing 1. Zeek Log Generation and RITA Import
$ zeek -Cr capture.pcap
$ /opt/rita/rita.sh import -l ~/zeek-logs -d InvestigationDB
…​
Finished Analysis! analysis_began=1723660142 analysis_finished=1723660142
Finished Import! elapsed_time=4.8s
$ /opt/rita/rita.sh view InvestigationDB

The -C flag instructs Zeek to process packets even if they have invalid checksums, which is common in truncated captures. RITA imports the resulting logs and applies its analysis algorithms, scoring connections based on beacon consistency, connection duration, subdomain patterns, and other threat indicators.

RITA terminal interface displaying beacon analysis results with severity ratings and connection metadata for network traffic
Figure 4. RITA Threat Analysis Results

RITA’s terminal interface displays identified threats ranked by severity: critical, high, medium, low, or none. For each threat, RITA reports the source and destination addresses, beacon score (representing interval consistency), connection duration, prevalence among internal hosts, and protocol details. A high beacon score indicates consistent communication intervals between two hosts, a strong indicator of automated C2 communication.

As a free tool, RITA provides organizations with powerful network threat detection capabilities without licensing costs. The trade-off is deployment effort: RITA runs on Linux systems and requires analyst expertise to interpret results effectively.

Open Source Network Detection: A Rich Ecosystem

The open source community has a particularly deep history in network threat detection. Snort and Zeek (formerly Bro) both date to 1998, giving the ecosystem over two decades of maturity, community contribution, and real-world refinement. While open source tools are not always the best fit for every organizational need, network threat detection is an area where the open source community has produced tools that effectively rival or complement commercial alternatives.

Several projects stand out for their contributions to network visibility:

  • Suricata: Signature-based network intrusion detection engine compatible with community and commercial rulesets, including rules for emerging threats.

  • Zeek: Protocol analysis and structured log generation that transforms raw traffic into rich, queryable metadata.

  • RITA: Statistical anomaly detection for identifying C2 beaconing and long connections (see RITA: Open Source Network Threat Analysis).

  • Arkime: Full packet capture indexing and search with a web-based interface for retrospective analysis.

  • Security Onion: A distribution that bundles several of these tools into a single deployment for network security monitoring.

Organizations with limited budgets or those looking to supplement commercial NDR platforms can draw on this ecosystem with confidence in the tooling’s stability and active community support. The tradeoff remains consistent across these tools: they require investment in deployment, configuration, and analyst expertise to operate effectively, but offer powerful detection capabilities without licensing costs.

Human Detection Sources

Human observations remain invaluable for detection, often identifying issues that automated systems miss. In Prepare Activity, we examined security awareness training programs that develop this detection capability, allowing analysts to use employee observations as a source of incident detection.

Employees frequently serve as the first line of defense for threats, reporting suspicious emails, unusual system behavior, or social engineering attempts. Effective training and a culture that encourages reporting suspicious events help staff recognize indicators of compromise and understand reporting procedures. Tying in pop culture references can enhance engagement, like the Dall-E-generated poster in Figure 5 encouraging employees to report suspicious activity.

Retro horror movie-style security awareness poster urging employees to report suspicious activity like spoofed calls and malicious emails
Figure 5. The Danger Things Dall-E Poster
When employees report suspected incidents, even false alarms, the organization gains detection coverage that technical systems cannot provide. Fostering a culture of vigilance encourages reporting, enhancing overall detection capabilities.

System administrators and help desk personnel often identify anomalies during routine operations: a server that keeps crashing, unexpected network traffic patterns, or unauthorized changes to systems they manage. These observations, when properly escalated, can reveal ongoing compromises. Establishing clear escalation paths during preparation ensures these observations reach the incident response team promptly.

Third-party notifications from customers, partners, or security researchers sometimes provide the first indication of a breach. While not ideal from a detection timeline perspective, these external reports remain an important source of detection. Organizations should establish procedures for receiving and validating external notifications as part of preparation activities.

Public Security Policy Reporting: security.txt

Security researchers who discover vulnerabilities often struggle to find the right contact within an organization to report their findings. Without a clear reporting channel, researchers may give up trying to contact the responsible organization that can resolve the vulnerability, post findings publicly, or contact the wrong department entirely. The RFC 9116 standard addresses this problem by defining a machine-readable file that organizations place on their web servers to communicate security contact information and vulnerability disclosure policies. [5]

Organizations publish a security.txt file at /.well-known/security.txt on their web servers. The file contains contact information (email, phone, or URL), an expiration date, and optional fields for encryption keys, disclosure policies, acknowledgment pages, and preferred languages.

Listing 2. Microsoft security.txt Example
$ curl -q https://www.microsoft.com/.well-known/security.txt
# Our security acknowledgements page
Acknowledgments: https://msrc.microsoft.com/update-guide/acknowledgement

# Canonical URI
Canonical: https://www.microsoft.com/.well-known/security.txt

# Our Researcher Portal
Contact: https://msrc.microsoft.com/report/vulnerability/new

# Our PGP Key
Encryption: https://msrc.microsoft.com/.well-known/csaf/openpgp/998D7EC1A516E3D17FF90480EF148D3CDE714E0D.asc

Expires: 2026-09-23T16:00:00.000Z

# Our Bounty policy
Policy: https://www.microsoft.com/en-us/msrc/bounty/

# Our Coordinated Vulnerability Disclosure Policy
Policy: https://www.microsoft.com/en-us/msrc/cvd

# Our Bounty Legal Safe Harbor Policy
Policy: https://www.microsoft.com/en-us/msrc/bounty-safe-harbor

# Our Common Security Advisory Framework (CSAF) publications
CSAF: https://msrc.microsoft.com/csaf/provider-metadata.json

Preferred-Languages: en

From a detection perspective, a security.txt file helps direct external reporting (whether vulnerability reports or attempts to disclose evidence of an incident) to the appropriate channels. The minimal effort required to create and maintain this file pays off when it accommodates disclosure efforts that inform internal cybersecurity teams.

Cloud-Native Detection Sources

Cloud environments require detection approaches adapted to their unique characteristics: ephemeral workloads, API-driven infrastructure, shared responsibility models, and distributed architectures. Detection operations should use cloud-native logging, cloud provider APIs, and specialized detection tools designed for cloud workloads. Specialized detection solutions vary depending on the cloud deployment architecture: containerized, serverless, or hybrid environments.

Container and Kubernetes Detection

Container and Kubernetes detection employs multiple approaches to identify threats in containerized environments. Kernel-level monitoring using extended Berkeley Packet Filter (eBPF) enables systems to observe system calls from containerized workloads, identifying unexpected processes, file system modifications, or anomalous network connections. Container runtime socket monitoring provides an alternative detection method by observing the Docker or containerd API for container lifecycle events, image operations, and configuration changes that might indicate compromise or policy violations.

Logging systems, including Kubernetes audit events, provide visibility into API server activity, enabling detection of suspicious actions such as unauthorized pod creation, privilege escalation attempts, or access to sensitive secrets. Service mesh architectures offer additional network-level visibility between services, capturing traffic patterns that kernel-based or runtime monitoring might miss. For traffic entering or leaving the cluster, NDR tools at ingress points provide detection capabilities that complement mesh-level monitoring.

Container environments present unique detection challenges due to their ephemeral nature. When containers terminate, evidence of compromise may disappear before analysts can investigate. Organizations should configure centralized log collection and consider runtime detection tools that capture forensic artifacts in real time for high-sensitivity workloads.

Serverless and Microservices Detection

Detection in agentless environments, such as serverless functions and microservices, requires alternative approaches, as traditional endpoint agents cannot run in these execution environments.

Cloud provider logs, function telemetry, and event anomaly analysis serve as the primary sources of detection for serverless and corresponding microservices workloads. Analysts should watch for abnormal invocation patterns, unexpected outbound connection attempts, unusual access to secrets or environment variables, and deviations from baseline execution characteristics (such as timeouts, throttling, and unusual memory and CPU consumption). The ephemeral nature of these environments makes real-time detection important since evidence exists only briefly.

Hybrid Cloud

Detection across distributed infrastructure, including hybrid and multi-cloud environments, requires unifying telemetry and detection logic across on-premises systems and multiple cloud providers. Organizations deploy a mix of agentless approaches, including API access and snapshot-based analysis alongside agent-based runtime monitoring for workloads that support it. Cloud-aware network detection and control plane analytics provide visibility into cross-environment activity that traditional tools may miss.

Native cloud detection tools from providers like AWS GuardDuty, Azure Defender, and Google Cloud Security Command Center offer built-in detection capabilities tailored to their respective platforms. This integration provides native visibility into cloud events but often lacks the cross-environment correlation capabilities of third-party SIEM and EDR platforms. Organizations that leverage multiple cloud providers should consider detection solutions that unify telemetry and analysis across all environments for comprehensive threat detection coverage.

Challenges in Detection

Plainly said, the task for detection teams is challenging. Wading through large volumes of data, contending with encrypted traffic, facing adversaries actively evading detection, and addressing skills gaps within security teams all complicate effective threat identification. Understanding these challenges helps organizations develop strategies to work around limitations and improve detection capabilities over time.

Data Volume and Velocity

The volume and velocity of security data generated in modern environments can overwhelm analysis capabilities and delay threat identification. Larger networks can easily generate terabytes of log data daily from endpoints, network devices, cloud services, and applications, making comprehensive analysis difficult even with sophisticated tools and automation.

The quantity of data from multiple, disparate sources requires careful prioritization and filtering to ensure analysts focus on the most relevant signals. Even with SIEM platforms and machine learning models, the volume of alerts can exceed analyst capacity, leading to alert fatigue and missed detections. Data retention costs add to this challenge, forcing organizations to make difficult decisions about which data to keep for historical analysis and which to discard after short periods.

Organizations can address data volume challenges through several practical strategies:

  • Detection-driven collection: Start with specific attack detection use cases and work backward to identify the required data sources, rather than collecting everything and hoping it proves useful.

  • Tiered data retention: Implement hot, warm, and cold storage tiers that keep recent high-fidelity data readily accessible while archiving older data to cost-effective storage for historical investigations.

  • Filtering at the source: Wherever possible, remove known-good noise before ingestion by filtering routine events, such as successful authentication from service accounts or expected network traffic patterns.

  • Aggregation and sampling: For high-volume, low-value data sources, aggregate events into summaries or sample representative subsets rather than storing every individual event.

  • Correlation-based alerting: Reduce alert volume by requiring multiple related signals before generating analyst-facing notifications, converting dozens of low-confidence events into single high-confidence alerts.

  • Constant tuning: Regularly review and adjust detection rules, thresholds, and data sources to optimize signal-to-noise ratios as the environment and threats change. Retain test environments so the team can test changes to detection logic before deployment to production systems.

The goal is not to collect less data, but to collect the useful data and process it efficiently so analysts can focus on signals that matter.

Detection-Driven Collection: Azure Storage Logging

Azure Blob Storage diagnostic logging is a great way to illustrate the detection-driven collection principle. A moderately active storage account can generate millions of StorageBlobLogs entries daily, with the vast majority representing routine read requests for public content. Ingesting all of this data into a Log Analytics workspace incurs storage costs and adds to the analyst burden without proportional detection value.

Instead, organizations can use Data Collection Rules (DCR) with ingest-time transformations to filter storage logs before they reach the workspace. Start by defining what threats storage logging should detect: unauthorized access attempts, data exfiltration, and suspicious deletion activity. Then configure a DCR transformation with a Kusto Query Language (KQL) query that evaluates each log entry against detection criteria during ingestion.

The following KQL transformation demonstrates this filtering approach, keeping only security-relevant events while discarding routine access patterns.

Listing 3. DCR Transformation for Storage Log Filtering
source
| where StatusCode >= 400 (1)
    or OperationType in ("DeleteBlob", "PutBlob",
                         "PutBlock", "CopyBlob") (2)
    or (CallerIpAddress !startswith "10."
        and CallerIpAddress !startswith "192.168.") (3)
| project TimeGenerated, OperationType, StatusCode,
    CallerIpAddress, AccountName, ObjectKey, UserAgentHeader (4)
1 Keep all failed requests (4xx and 5xx status codes).
2 Keep write and delete operations regardless of status.
3 Keep requests from IP addresses outside expected internal ranges.
4 Select only desirable columns to further reduce data ingestion volume.

This approach can reduce log volume significantly while preserving the events that actually support threat detection. The transformation runs at ingestion time within the DCR pipeline, so filtered events never consume workspace storage or processing resources.

Encrypted Traffic

Encryption limits network-based detection visibility into communications content. As more communications use TLS encryption for web traffic, encrypted DNS, and VPN connections, network monitoring tools increasingly rely on metadata analysis rather than deep packet inspection. While encryption provides important privacy and security benefits, it also creates areas of reduced visibility for threat hunting, where attackers can hide command-and-control communications or data exfiltration activity.

Encrypted Traffic Detection Techniques

Since payload inspection is limited with encrypted traffic, detection focuses on metadata and behavioral analysis:

Flow-based analysis techniques, including Encrypted Traffic Analysis (ETA), use packet sizes, timing patterns, directionality, and TLS handshake attributes to detect anomalies without decrypting content. Machine learning models can classify suspicious encrypted flows based on these characteristics.

Certificate and handshake metadata inspection leverages certificate attributes, Server Name Indication (SNI) values, TLS versions, cipher suites, and handshake fingerprints. Services like Encrypted Client Hello (ECH, the successor to Encrypted Server Name Indication or ESNI) complicate detection, providing less opportunity to glean useful information from encrypted sessions. For these TLS connections, fingerprinting techniques such as JA4+ allow analysts to gain insight based on TLS handshake parameters, helping identify malicious clients even when traffic is encrypted. [6]

For example, in the analysis shown in Listing 4, we extract JA4 fingerprints from TLS Client Hello messages in a packet capture file using TShark, the text-based version of the Wireshark packet analyzer. TShark reveals the JA4 fingerprint t13i3110as_e8f1e7e78f70_1f22a2ca17c4 for the client session. Using a local JA4 database in JSON format, we query for this fingerprint using jq, revealing that the TLS connection corresponds to the AnyDesk remote desktop application, version 9.6.1.

Listing 4. TLS JA4 Fingerprint Analysis
$ tshark -r netedge-20260105.pcapng -Y "tls.handshake.type == 1" -T fields -e tls.handshake.ja4 | sort -u
t13i3110as_e8f1e7e78f70_1f22a2ca17c4
$ jq '.[] | select(.ja4_fingerprint == "t13i3110as_e8f1e7e78f70_1f22a2ca17c4")' ~/ja4db.json
{
  "application": "AnyDesk",
  "library": null,
  "device": null,
  "os": null,
  "user_agent_string": "",
  "certificate_authority": null,
  "verified": false,
  "notes": "AnyDesk v9.6.1",
  "ja4_fingerprint": "t13i3110as_e8f1e7e78f70_1f22a2ca17c4",
  "ja4_fingerprint_string": "",
  "ja4s_fingerprint": "",
  "ja4h_fingerprint": null,
  "ja4x_fingerprint": null,
  "ja4t_fingerprint": null,
  "ja4ts_fingerprint": null,
  "ja4tscan_fingerprint": null
}

JA4 fingerprinting provides valuable context for encrypted traffic analysis, enabling analysts to identify applications and clients even when payloads are inaccessible and other privacy controls are applied to protect client and server details.

Behavioral context analysis provides additional insight for analysts when working with encrypted traffic. This approach focuses on detecting unusual patterns indicative of EOIs in encrypted network activity. Indicators include abnormal outbound data volumes, connections to unusual destinations, and new encrypted channels from systems that do not normally generate such traffic.

Organizations should focus network detection efforts on connection metadata, including destination addresses, connection timing and duration, data volume patterns, and certificate information that remains visible even when content is encrypted. TLS inspection capabilities for internal systems where policy permits can provide a valuable source of detection data for threat hunting and subsequent investigation. Combined, these metadata and behavioral approaches allow organizations to maintain meaningful detection coverage even as encryption adoption continues to grow.

Adversary Evasion

Sophisticated attackers actively work to evade detection, treating security tools as obstacles to overcome rather than insurmountable barriers. Understanding common evasion techniques helps analysts recognize when attackers are attempting to hide their activities.

Attackers frequently target logging infrastructure to remove evidence of their activities. Clearing Windows Event Logs, disabling audit policies, or timestomping files to obscure activity timelines are common techniques. Analysts should monitor for gaps in log data and unexpected changes to logging configurations as potential indicators of compromise.

Rather than deploying custom malware that signature-based detection might catch, attackers increasingly use legitimate system tools for malicious purposes. PowerShell, Windows Management Instrumentation (WMI), PsExec, and other built-in utilities provide powerful capabilities that attackers exploit. These tools generate activity that blends with normal administrative operations, making behavioral detection essential.

Attackers who understand detection thresholds can operate just below them. Data exfiltration spread across many small transfers rather than one large transfer, authentication attempts spaced to avoid lockout policies, and lateral movement timed to coincide with normal business hours all exploit threshold-based detection limitations.

The Pre-Attack Lab

Attackers with disciplined tradecraft test their techniques before deploying them against targets. Sophisticated threat actors maintain lab environments that mirror common enterprise security stacks, testing malware and attack procedures against EDR products, SIEM detection rules, and network monitoring tools.

The 2022 Conti ransomware leaks revealed the extent of this practice. [7] Internal chat logs showed the group budgeted several thousand dollars monthly to purchase security and antivirus tools for continuous testing against their malware. The group also invested $60,000 to acquire a legitimate Cobalt Strike license through an intermediary company. In one chat, Conti manager Reshaev instructed a subordinate on operational security:

Install EDR on every computer (e.g., Sentinel, Cylance, CrowdStrike); set up a more complex storage system; protect LSAS dumps on all computers…​

This reality means detection capabilities require continuous evolution. Detection rules that worked for previous incident detection may fail against attackers who have adapted. Organizations should assume that determined adversaries will eventually bypass any detection methods, making layered detection strategies and continuous improvement essential.

As attackers adapt their techniques, detection teams cannot solely rely on endpoint signatures or static rules. Threat intelligence on emerging evasion techniques, regular updates to detection rules, and purple-team exercises that test detection coverage all contribute to maintaining effective detection capabilities.

Skills Gap

The skills gap in security operations means many organizations struggle to effectively use their detection tools and interpret the alerts they generate. The shortage of experienced analysts who can tune detection systems, investigate alerts, perform threat hunting, and develop new detection rules limits detection effectiveness across the industry.

Entry-level analysts often lack the deep technical knowledge needed to distinguish sophisticated attacks from benign anomalies, while experienced analysts are in high demand and difficult to retain. Organizations should invest in training programs that develop detection skills within their teams, leverage managed security service providers (MSSPs) to supplement internal capabilities, and implement knowledge management systems that capture detection expertise for future reference.

Automation and AI-assisted detection capabilities can help bridge some of the skills gap by providing analysts with context and recommendations (see Accelerating Incident Response with AI). While valuable, these tools also require oversight from experienced personnel to avoid missing threats or creating excessive false positives.

Detect Activity Examples

The following examples illustrate where detection is an important part of the incident response process.

The External Breach Hunter

External breach notifications are an important passive detection source through which security researchers, customers, partners, or other third parties discover and report compromises that internal detection systems missed.

Ethan, a help desk analyst, receives an email on Tuesday morning with the subject line "Security Issue - Exposed Administrative Systems." He skims the message from someone named Tom Liston describing exposed administrative portals and suspicious accounts on the organization’s patient management system. The email includes several screenshots of administrative login pages accessible without authentication, along with evidence of accounts named admin_backup and svc_temp that don’t follow the organization’s naming conventions. Ethan forwards the email to the security team with a note: "Not sure if this is legit, but seems serious if true."

Yoshihiro, the security analyst on duty, opens the forwarded email with skepticism. He’s seen plenty of false alarms from well-meaning but mistaken researchers, and occasionally encounters social engineering attempts disguised as security notifications. He starts reviewing the technical details and examining the screenshots of the exposed administrative portals. The URLs appear legitimate and point to actual organizational infrastructure. The suspicious account names admin_backup and svc_temp are concerning because they don’t match the standard adm_firstname.lastname format used by IT. The researcher even provides authentication logs showing logins from IP addresses in Eastern Europe over the past forty-five days.

The technical details seem credible, but Yoshihiro remains cautious until he checks the sender’s name: Tom Liston. He recognizes the name immediately as a respected threat hunter known for responsibly disclosing security issues to affected organizations. Yoshihiro has followed Liston’s work, which documents the discovery and reporting of compromised systems found through simple internet searches. This pedigree elevates Yoshihiro’s assessment from potential security issue requiring validation to credible breach notification requiring immediate action.

Yoshihiro escalates the report to the incident response team lead, noting both the technical findings and the credible source. This detection event transitions to the verify and triage phase, where the team will validate the specific claims and determine the appropriate response.

The SIEM Wizard

Active threat hunting using SIEM tools enables analysts to proactively identify threats that automated alerting systems might miss, particularly when searching for suspicious patterns rather than known malicious indicators.

Every Wednesday morning, Lucía conducts her weekly threat-hunting session, dedicating two hours to searching for anomalies in the organization’s security data. This week, she decides to hunt for beaconing behavior in proxy server logs, a common indicator of command and control communication where compromised systems regularly check in with attacker infrastructure. Beaconing is particularly suspicious because legitimate applications rarely communicate with external servers at perfectly consistent intervals, while malware often implements regular callback schedules to receive commands or exfiltrate data.

Lucía opens Kibana and crafts an Elasticsearch aggregation query to identify URLs with consistent access patterns over the past twenty-four hours, shown in Listing 5. Her query groups all proxy requests by destination URL and analyzes the distribution of requests over time, looking for patterns that suggest automated, scheduled communication rather than human-driven web browsing.

Listing 5. Elasticsearch Query for Beaconing Detection
{
  "size": 0, (1)
  "query": {
    "range": {
      "@timestamp": {
        "gte": "now-24h", (2)
        "lte": "now"
      }
    }
  },
  "aggs": {
    "by_url": {
      "terms": {
        "field": "url.keyword", (3)
        "size": 500
      },
      "aggs": {
        "over_time": {
          "auto_date_histogram": {
            "field": "@timestamp", (4)
            "buckets": 50
          }
        },
        "request_count": {
          "value_count": { (5)
            "field": "@timestamp"
          }
        }
      }
    }
  }
}
1 Don’t return individual documents, only aggregation results.
2 Search only the past 24 hours of proxy log data.
3 Group all requests by destination URL.
4 Create a histogram showing when requests occurred for each URL.
5 Count the total number of requests for each URL.

The query returns hundreds of URLs with varying access patterns. Lucía reviews the results, examining the time distribution histograms for each URL. Most show the irregular patterns typical of human access: bursts of activity during business hours, gaps during lunch, quiet periods overnight. Others exhibit consistent patterns from legitimate automated systems like software update checkers and monitoring tools, which Lucía recognizes from previous hunting sessions.

One URL immediately catches her attention: api.cloudserv-cdn.com shows exactly 288 requests over the past twenty-four hours, with the histogram displaying perfectly spaced intervals. Lucía calculates the timing: twenty-four hours divided by 288 requests equals exactly five minutes between each request. This precision in timing is unusual.

Lucía digs deeper into this suspicious URL, crafting a follow-up query to identify which client systems are accessing it and examining the specific timestamps. She finds that all requests originate from a single workstation in the finance department, and the timestamps confirm the pattern: requests occur at exactly :05, :10, and every five minutes thereafter with no variation in timing. The domain itself raises additional concerns when she checks threat intelligence feeds. It was registered only three weeks ago using privacy protection services, and the hosting provider is commonly associated with malicious infrastructure.

Lucía documents her findings, noting the suspicious beaconing pattern, the recently registered domain, the consistent five-minute interval, and the affected workstation details. She escalates this detection event to the incident response team for verification and triage, where they will investigate whether the workstation is genuinely compromised or if there’s a legitimate explanation for this highly regular communication pattern.

Detect: Step-by-Step

The following steps provide a condensed reference for detection activities. Each step corresponds to topics covered earlier in this chapter, organized for use when establishing detection sources, hunting for threats, and refining detection capabilities.

A standalone version of this step-by-step guide is available for download on the companion website in PDF and Markdown formats.

  1. Establish detection data sources:

    • Deploy and maintain EDR tools for host-based monitoring.

    • Implement network monitoring (packet capture, flow data, or NDR tools).

    • Configure log aggregation and SIEM platforms.

    • Configure SOAR platforms to automate response to high-confidence alerts.

    • Ensure comprehensive log collection across critical systems.

    • Enable cloud-native logging (Kubernetes audit logs, cloud provider flow logs, control plane events).

    • Establish behavioral baselines at the business-unit or functional-group level for meaningful anomaly detection.

    • Train employees on security awareness and incident reporting.

    • Establish clear escalation paths for system administrators and help desk personnel to report anomalies.

    • Publish a security.txt file to facilitate external security reporting.

  2. Implement data reduction and prioritization strategies:

    • Apply detection-driven collection: define detection use cases first, then identify required data sources.

    • Filter high-volume, low-value logs at the source before SIEM ingestion (e.g., DCR transformations for cloud storage logs).

    • Implement tiered data retention with hot, warm, and cold storage to balance accessibility and cost.

    • Aggregate or sample high-volume, low-value data sources rather than storing every individual event.

    • Correlate multiple low-confidence signals into high-confidence alerts.

    • Apply statistical analysis to identify anomalous patterns (e.g., RITA for beaconing detection).

  3. Conduct active threat hunting:

    • Schedule regular threat hunting sessions (weekly or monthly).

    • Prioritize hunting for TTPs and behavioral indicators over low-level indicators like hashes or IP addresses (Pyramid of Pain).

    • Search for beaconing patterns, lateral movement, data staging, and living-off-the-land techniques.

    • Hunt for IOCs using SIEM queries and EDR searches.

    • Analyze encrypted traffic metadata (JA4+ fingerprints, connection patterns, certificate attributes).

    • Document findings and new IOCs discovered during hunting.

  4. Monitor passive detection sources:

    • Review automated alerts from security tools.

    • Monitor employee reports of suspicious activity.

    • Track observations from system administrators and help desk personnel during routine operations.

    • Receive and validate third-party notifications from partners, customers, or security researchers.

    • Establish clear reporting channels for external researchers.

  5. Respond to detection events:

    • Validate potential incidents before full escalation.

    • Document EOIs and IOCs discovered.

    • Escalate to verify/triage phase.

    • Maintain communication with external researchers when applicable.

  6. Continuously improve detection capabilities:

    • Track detection metrics (MTTD, alert volume, false positive rate)

    • Conduct purple-team exercises to test detection coverage against adversary evasion techniques.

    • Update detection rules based on new threats and TTPs.

    • Address detection gaps identified during incident response.

    • Monitor for log tampering, disabled audit policies, and gaps in log data as indicators of adversary evasion.

    • Retrain and recalibrate ML-based detection models to address model drift and evolving attacker techniques.

    • Retain test environments for validating changes to detection logic before production deployment.

    • Invest in analyst training and skill development, and leverage MSSPs to supplement internal capabilities.

    • Capture detection expertise in knowledge management systems for future reference.

    • Review threat intelligence on attacker tooling and evasion methods.

1. MITRE ATT&CK, attack.mitre.org/
2. Rossouw, Faan, "Hunt What Hurts: The Pyramid of Pain," Active Countermeasures, November 2025, www.activecountermeasures.com/hunt-what-hurts-the-pyramid-of-pain/
3. Bianco, David, "The Pyramid of Pain," 2013, detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
4. RITA (Real Intelligence Threat Analytics)," github.com/activecm/rita
5. Security.txt Project, securitytxt.org/
6. FoxIO, "JA4+ Network Fingerprinting," github.com/FoxIO-LLC/ja4
7. Krebs, Brian, "Conti Ransomware Group Diaries, Part III: Weaponry," Krebs on Security, March 2022, krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iii-weaponry/