Editor’s note: This is part three of a series on threat detection. 

Security is an ongoing journey, not a one-time achievement. By treating it as an ongoing and continuous process, you can ensure a comprehensive approach that addresses the ever-changing threats and protects your valuable assets. 

To enhance your security operations journey, it’s crucial to identify the most important data sources for effective threat detection. Improving threat detection is a gradual process that adapts to both new threats and your evolving attack surface. However, it’s important to start with a solid foundation.   

To help you build this foundation, here are the top five data sources we recommend for detection along with relevant baseline detection rules.    

Starting the DIR Process: Detections 

As you might expect, effective detection rules are crucial to starting off the threat detection, investigation, and response process on the right foot. Deploying relevant detection rules through technologies like security information and event management (SIEM) platforms and endpoint detection and response (EDR) solutions enables you to promptly locate potential threats.  

It’s important to note that detections are not a numbers game, where the person with the most detections wins. Quality in detection engineering triumphs over quantity, allowing you to effectively identify potential risks while avoiding alert noise that can distract a security team.  

When it comes to deploying detections, it’s important to consider the various technologies and security tools in your environment. By understanding your technology ecosystem, you can tailor your detection strategies accordingly to improve identification of and response to potential threats. This ensures a more secure environment for your organization.  

There are a few important considerations to keep in mind regarding detection rules. The ability to deploy specific detection rules is dependent on the security technology you have implemented. It’s also worth noting that the same detection rule can be deployable across multiple technology types (e.g., the same rule might be deployable using identity and access management, user behavior analytics, privileged access management, or operating system data sources), while some detection rules might require multiple inputs to fire (e.g., event A followed by event B detected by two different log sources).  

Top 5 Foundational Threat Data Sources

1. Endpoint Detection and Response

Endpoints, such as laptops, servers, and mobile devices, are often the primary targets for cyberattacks. They can contain valuable data and serve as gateways to reach data repositories throughout the enterprise. EDR security solutions provide organizations with real-time visibility into endpoint activities, allowing them to quickly detect and respond to potential security incidents. This visibility enables security teams to identify and contain threats, minimizing the impact of an attack. With granular visibility into processes, network connections, and file behavior, EDR facilitates deep inspection and detection of advanced threats that bypass traditional security measures.  

Detection outcomes: EDR technology allows you to detect attacks such as malware and ransomware, fileless attacks, suspicious processes, anomalous network traffic, data exfiltration, and insider threats.  

Key takeaway: Ensure you have telemetry available that you can search and correlate on for endpoint properties for categories including: 

  • Process creation
  • Process access
  • Image/library loaded
  • File manipulation (create, open, delete, rename)
  • Registry Manipulation
  • Service Manipulation

Baseline Detections for EDR:

  • EDR Vendor-specific Alerts
    • Critical/High/Medium/Low Severity Detection
    • Incident Event
    • Medium Severity Detection – Not Blocked
    • Medium Severity Threat Detection – Not Mitigated
  • Active Directory Database Dump
  • Active Directory Enumeration via AdFind
  • Cobalt Strike Named Pipe Created
  • DLL registered with DllRegisterServer/Dllinstall
  • Mimikatz Detected
  • Multiple Discovery Commands
  • PSEXEC Pivoting with Process Execution
  • Rundll32.exe – Possible Persistence
  • Scheduled Task Creation via Command Line
  • Shadow Copies Deleted
  • Suspicious Encoded or Bypassed PowerShell Execution
  • WMIC Process Creation
  • Wscript Executing Suspicious File

2. Forward Proxy Detection

Acting as an intermediary between a user and the internet, a forward proxy plays a critical role in inspecting and analyzing incoming and outgoing network traffic for potential threats. Beyond its role in safeguarding the network against threats, forward proxies also facilitate the logging and monitoring of network traffic, providing valuable insights for threat detection and incident response. For example, forward proxies can log, detect, and block communication with malware command-and-control (C2) infrastructure.   

Detection outcomes: Forward proxies allow you to detect data leakage, DDoS attacks, malware distribution, and unauthorized access attempts.   

Key takeaway: To facilitate investigations, make sure you can search and correlate on forward proxy properties including: 

  • HTTP referrer
  • HTTP method
  • HTTP status
  • URI, URL, URL category
  • MIME
  • User-Agent
  • Protocol/application
  • Action
  • Bytes in/out
  • IP source/destination
  • Port source/destination

Baseline Detections for Forward Proxies:

  • Emergency Domain Threat IOC 
  • Emergency URL Threat IOC 

3. Identity and Access Management (IAM): Authentication, Account Auditing, and MFA

IAM authentication and account auditing verify the identity of users and grant access only to authorized individuals. By implementing strong authentication mechanisms, such as multifactor authentication (MFA), organizations can mitigate the risk of unauthorized access attempts and credential theft. Account auditing complements IAM authentication by monitoring and logging user activities, providing a record of user actions such as suspicious login attempts or abnormal user behavior.  

Detection outcomes: IAM detection rules allow you to detect attacks such as insider threats, privilege escalation, brute force attacks, unauthorized access and identity theft.  

Key takeaway: Make sure you can search and correlate on account and authentication properties derived from key Windows events such as Windows Event IDs 4624, 4265, 4771, 4776, 4768, 4769, 4720, 4732, 4735, 4729, 4728 and 4756.  

Baseline Threat Detection Rules for IAM:

  • Addition to Privileged Security Group 
  • MFA Fraud Event Followed by Successful Authorization  

4. Email Security Detection

Email security safeguards against various malicious activities carried out through email communication. It involves filtering and analyzing incoming emails to identify and block phishing attempts, malware attachments, and suspicious links. By implementing email security measures, organizations prevent these attack attempts from reaching end users, eliminating the risk of users inadvertently falling victim to these attacks. Advanced filtering techniques, combined with comprehensive malware scanning and link analysis, enhance the ability to detect and prevent malicious activities. 

Detection outcomes: Email security solutions enable you to detect email-borne attacks including phishing attempts, malware-laden attachments, and spam emails. 

Key takeaways: Make sure you can search and correlate on email security properties like sender/recipient address, sender/recipient IP address, subject, message ID, delivery status, action, disposition, attachment name/type/hash, URL/links, and message headers.  

Baseline Threat Detection Rules for Email Gateways: 

  • Allowed Malicious Email 
  • Emergency Hash Threat IOC 
  • Phishing Link Clicked 
  • Allowed Impostor Email 
  • Malicious Email Wave from Internal User Detected 
  • Suspicious Email Outlook Rule Created via API/Portal 
  • Suspicious Email Outlook Rule Created via Outlook Client 

5. Network Security: Firewall and IPS Detection

Firewalls and intrusion prevention systems (IPS) provide proactive defense against potential attacks. Firewalls act as a barrier between a trusted internal network and untrusted external networks, filtering and controlling network traffic based on predefined rules. IPS goes a step further by analyzing network traffic in real-time, detecting and blocking malicious activities to prevent potential cyber threats before they can cause harm. Together, firewalls and IPS provide layered protection, decrease the likelihood of successful cyberattacks and enhance overall threat detection capabilities. 

Detection outcomes: Network security solutions enable the detection of a wide range of cybersecurity attacks, including distributed denial-of-service (DDoS) attacks, network intrusion attempts, malware propagation, and unauthorized access attempts. 

Key takeaways: Make sure you can search and correlate on firewall/IPs properties like IP source/destination, port source/destination, bytes in/out, signatures, action, and protocol/application. 

Baseline Threat Detection Rules for Network Security:  

  • Vulnerability Scan- Internal 
  • Vulnerability Sweep- Internal 
  • Emergency IP Threat IOC – Outbound 
  • Emergency Threat Signature IOC 
  • Credential Dumping 
  • Account Access Enumeration 
  • Port Scan- Internal 
  • Emergency IP Threat IOC- Inbound

Augmenting Your Detection Strategy: Threat Hunting

Detections serve as the starting point for threat hunting, providing indicators or alerts that something potentially malicious or suspicious has occurred. However, to dive deeper into understanding the nature and extent of the threat, threat hunting becomes necessary. This systematic and proactive investigation analyzes available data and conducts forensic analysis. 

When engaging in threat hunting, it’s essential to examine multiple data sources to gather a comprehensive understanding of the threat landscape. This includes network traffic logs, system logs, application logs, endpoint information, and other relevant data sources. By leveraging the insights from various data sources, threat hunters can correlate information and identify any hidden or subtle signs of malicious behavior that may have been missed by automated tools. 

By combining both automated detections and threat hunting, you can detect and respond to threats more effectively. While automated detections provide the initial alert, threat hunting helps to uncover the tactics, techniques, and motivations behind malicious activity. This integrated approach to security operations enables you to maintain a higher level of situational awareness, enhance incident response capabilities, and improve your overall security posture. 

Measuring Detection Effectiveness

Once you’ve implemented baseline detection rules, measuring the results and improving your processes allows you to accelerate your detection journey over time. To measure how well your detection process is working, you should examine: 

  • The breadth of data sources: The more comprehensive your coverage across different data sources—such as network traffic logs, system logs, application logs, endpoint information, and other relevant security data sources— the greater the likelihood of effectively detecting and responding to threats. By measuring the coverage of your data sources, you can identify any gaps in monitoring and take steps to enhance coverage where needed, improving your detection capabilities. 
  • The diversity of your data sources: By measuring the diversity of data source technology functions, you can better identify any gaps and determine the effectiveness of your current security measures. 
  • How quickly you can resolve an incident (mean time to resolve, or MTTR): A high MTTR indicates inefficiencies in the detection and response process, highlighting areas where improvements can be made. By measuring and analyzing MTTR, you can uncover bottlenecks in your incident response workflows, streamline processes, and allocate resources more effectively. 

Having a metrics dashboard, such as the ReliaQuest GreyMatter Model Index, helps to measure the effectiveness of detections and improve security operations. It provides a centralized visual representation of key metrics (e.g., data source visibility, data source diversity, MTTR, and other metrics), enables real-time monitoring to identify anomalies promptly, facilitates trend analysis for long-term performance tracking, and supports data-driven decision making. The use of a metrics dashboard helps improve rule sets, enhance detection capabilities, and ensure a more efficient and accurate security posture for your organization.


This blog serves as a starting place for maturing your detection capabilities by describing foundational detections, threat hunting, and offering guidance on measuring effectiveness. As we continue in our blog series, we’ll be focusing on two critical aspects of improving threat detection: Ransomware Threat Detection and Phishing/BEC Threat Detection. We’ll provide actionable guidance and practical tips to improve your threat detection capabilities. Security is an ongoing journey, and by continuously improving your detection strategies, you can adapt to the evolving threat landscape and protect your valuable assets.