Sweet is excited to announce our new custom rules detection capability for CDR and ADR, which allows users to build customized rules according to their specific threat landscape.
Easily create custom rules or exclude findings within a minute, without needing complex query language, by using a selection of predefined options:
- Generate New Custom Findings: Create a new finding tailored to your cloud environment's specific needs.
- Templates for IOC Rules: Use templates to detect various types of IOCs within minutes.
- Exclude Findings by Specific Properties: Select the finding and exclude it only if specific conditions are met.
- Ignore Findings: Use the exclude all option to ensure that selected findings no longer affect the detection and response mechanism.
Sweet’s Robust Detection Framework for CDR and ADR
Sweet’s advanced CDR and ADR capabilities are based on a robust detection framework:
- Sweet’s unique ruleset is based on comprehensive offensive world knowledge
- Signatures, IoCs, and TTPs known to the cyber community
- A sophisticated baseline anomaly detection framework, which continuously learns your environment, with an advanced detection ruleset that ensures high coverage of various attack scenarios.
The synergy of this robust framework with customizable rules provides our customers with unparalleled flexibility in configuring anomaly detection mechanisms. Rule customizations not only enhance their ability to identify potential threats but also offer greater control over incident response processes.
Key Use Cases for Customized Detection Coverage
1. Exclude Legitimate Findings and Focus on What Matters to You
Different organizations use similar cloud and container services in very different ways. Because of this, at Sweet, we created a unique and dynamic baseline for each organization. In 96.4% of cases, our anomaly detection baseline mechanism effectively works for your organization, generating anomaly incidents in single digits per month.
That being said, highly professional security and engineering teams are the most experienced when it comes to understanding their organization's anomaly behaviors. Therefore, we allow our customers to track these known and legitimate activities and mark them for exclusion purposes. This way, Sweet will avoid generating future false positive incidents based on these legitimate activities and optimize the noise frequency.
By using this capability, our customers can better control their cloud detection and response system by quickly adjusting it to their specific needs.
In the example below, we can see a critical finding for a Docker client execution, which was detected as an anomaly from the regular behavior in this pod. With the Docker client, users can execute their commands to manage their Docker containers and objects.
Since the Docker client tool can also be used for the legitimate purposes of managing Docker containers and images, the system operator can narrow down the scope of the findings by editing the findings and excluding any findings from known namespaces (or based on other properties) where the DevOps engineer is using Docker Client.
2. Enrich SIEM Data with Customized, High-Value Findings
Enriching your SIEM with runtime logs generated by our eBPF sensor enhances observability and visibility within your cloud and K8S environments to meet your organization's security needs.For instance, you may want to enrich your SIEM with logs on any modification of mounted files in specific paths in your directories to monitor and check if the mount file modification was done by authorized users or processes and is done according to proper security protocols. In the sample rule attached below, we created a rule to monitor every writing action into mounted files, where the process directory is within the /application directory.
3. Proactively Mitigate Niche Threats
When a new campaign affects multiple industries, it generates significant attention. However, new threats that emerge in niche locations or industries often go unnoticed. Consequently, highly professional security operation and threat intelligence teams are forced to independently detect and mitigate these threats. By using custom rules, you can even expand your confidence in Sweet by identifying niche TTPs associated with these emerging campaigns by detecting relevant events and parameters linked to malicious activities. With that said, even without adding a dedicated rule for each TTP, our baseline mechanism is always monitoring your environment for new threats based on unusual activity detection. A relevant example is the use of eBPF programs and their extensive Linux Kernel capabilities for malicious purposes, such as what Pamspy malware did for stealing credentials from many critical Linux applications, such as sshd, sudo, and passwd. By monitoring events of an eBPF program loading in sensitive processes, you can protect your organization from eBPF credentials dumpers such as Pamspy.
4. Build IoC Templates for Unique Detections
Active threat hunting is integral to security operations and threat-hunting teams. While Sweet provides coverage for all attack scenarios and IOCs using open-source tools, you can still leverage our easy-to-use IOC templates to create custom rules for malicious IOCs, such as IPs, URLs, and file hashes with a single click. For example, you can use this feature to block IP addresses that are detected as suspicious activities in other security tools (e.g. WAF), but according to external threat intelligence, these IP addresses are legitimate. You can even block IPs that are associated with countries where the customer’s services are not allowed.
Why Customized Rules are Key for Cloud Runtime Detection and Response
While customized rules in EDR products have been well-known and implemented for years, the evolution of this feature in cloud runtime security is just beginning. Monitoring and visibility within cloud VMs and K8S clusters differ significantly from traditional endpoint monitoring due to the need to manage dynamic scaling, ephemeral instances, and orchestrated container environments. These environments present unique challenges in maintaining real-time visibility across transient workloads.
Our powerful detection mechanism, specifically designed for K8S clusters and cloud VMs, leverages our advanced eBPF sensor. This sensor offers unique detection and prevention capabilities for monitoring both kernel and syscalls events.
And now, you can create dedicated rulesets for cloud runtime monitoring that fit your organization's special needs and cover unique use cases.
Customize Detection Rules with Sweet
In conclusion, our new customized rules feature significantly enhances Sweet's cloud detection and response capabilities, offering users unparalleled control over their security posture.
The four key use cases—proactively mitigating niche threats, strengthening security by blocking known IOCs, enriching SIEM data with high-value findings, and optimizing alerts to reduce noise and false positives—demonstrate the power and flexibility of this feature.
These examples illustrate just a fraction of what our customizable rules can achieve, ensuring you can adapt to meet any future security needs your organization may encounter.