Testing a trigger - forcing a detection?

Hello All,

I’m currently getting my head around triggers, specifically one that fires on DETECTION_UPDATE.

Is there a good way to generate a detection on-demand so I can fire the trigger? I have used a Nessus scanner to port scan a device that ExtraHop can see but it doesn’t always seem to fire a detection.

Thanks,

Chris.

Hi @chris.booth ,

A reliable way to generate detections on-demand is to write a custom detection. As an example, you could write a trigger like the one below to run on SSL_OPEN events and fire a detection every time a device accesses Pastebin.

if (SSL.host === null)
    return

if (SSL.host.endsWith("pastebin.com")) {

    commitDetection('pastebin_access', {
        categories: ['sec.action', "sec.command"],
        title: "Pastebin Access",
        participants: [
            { role: 'offender', object: Flow.client.device },
        ],
        description: "The offender accessed Pastebin.",
        identityKey: getTimestamp().toString(),
        riskScore: 50,
    })
}

You can also configure MITRE ATT&CK categories for the custom detection in the Detection Formats settings.

Here’s documentation for creating custom detections.

Hope this helps,
Swagat

1 Like

Excellent - thank you Swagat.