DETR

Detection Engineering Threat Report

The interactive open DETR (pronounced deter) is the visual component of the REx project. It can also stand on its own without too much context beyond the dashboards themselves. The primary intent is that the data speaks for itself, with minimal interpretive narration. This serves to enhance the value of the report, since the data is dynamic and constantly updating.

The DETR consists of four primary sections:

State of current detections
Developments and changes over time
Uniqueness over time
Emerging threats analysis: 2023 - 2024

State of current detections

This section analyzes the latest snapshot of all covered rule sets. The rule snapshots are refreshed every 24 hours, which is why they do not have a timestamp associated with them.

Developments and changes over time

This section analyzes the changes made to all of covered rule sets. Insights into where the most development takes place per individual rule attribute, including maintenance perspectives.

Uniqueness over time

The four types of new terms representing uniqueness can be found under schema. This section analyzes the uniqueness of detection logic fields and ATT&CK techniques within rules over time. It can be reflective of novelty, new datasources, or even just schemas that are too large.

Emerging threats analysis

This dashboard analyzes the reactiveness and responsiveness to known major threats, CVEs, or any other prominently discussed risks.

What is interesting and insightful to be observed here is the fact that most rule detection logic approaches tend to focus on behavioral aspects, as opposed to being too atomic or overly specific and signature-like. This means that some insights to coverage may not be immediately obvious, or in other words, successful pre-existing detection capabilities for major emerging threats can easily be overlooked when inspecting from a purely rules perspective (as opposed to alerts).

The CVE’s chosen were the most represented in other threat reports. While they are insightful in themselves, they are also meant to showcase the process of temporal analysis - simply look up the timing of other CVE’s or events and compare accordingly.