Writing detections that explain themselves

An engineering note on the 'hypothesis-first' rule we use for every detection that ships in Vector.

S. Ramírez 7 min read

A detection is a hypothesis. If it fires without the hypothesis attached, you're asking an analyst to reverse-engineer your thinking at 3am.

The rule

Every Vector detection ships with three fields, non-negotiable: hypothesis, evidence, next step.

One sentence, written in English, that describes what we think is happening. Not the rule. The claim.

The specific data points the detection saw. Not a whole log line. The fields that mattered.

The single action the analyst should take. Not a menu of options. The recommendation.

Keep reading

Fan-out investigation paths, provenance receipts, and a reworked enrichment engine that completes in under a minute.

A short note on the three opinions the product holds, and why they're not negotiable.

A field note on a technique we're seeing more often: adversaries using build systems as a long-term C2.