A scalable, cloud-based platform for maximizing the efficiency and effectiveness of your existing SIEM/XDR

The first step is mapping all your existing rules to ATT&CK – including custom rules – and calculating your detection coverage.

By evaluating the log sources in a given rule and using clustering techniques to compare rules to other rules in our proprietary database, CardinalOps’ mapping engine finds the “best fit” for a rule in the existing framework of ATT&CK techniques.

To evaluate the “depth” of coverage for a given technique or sub-technique, CardinalOps goes beyond simply adding up the number of rules.

Instead, it examines how many relevant security layers – endpoint, network, email, IAM, cloud, etc. – are covered by existing rules for each technique and sub-technique.

This enables you to evaluate your existing coverage compared to your potential coverage (data sources you’re currently using), as well identify additional telemetry sources that can be used to strengthen your coverage, based on your priorities.

Based on the priorities you have specified – such as APT groups, specific tactics or techniques, security layers (endpoint, network, email, IAM, cloud, etc.), log source types (AWS, Okta, etc.) etc. – the platform delivers new detections to address critical coverage gaps.

Detections are delivered in a high-fidelity, deployment-ready format. This means they are delivered in your SIEM’s native query language – not a generic format like SIGMA – and have been pre-customized for your unique environment (data sources, naming conventions, fields, indexes, etc.).

Equally important, they have been pre-validated to not cause excessive noise in the SOC, based on your historical log data.

All rules have specific prerequisites to enable them to fire. For example, the logs must be ingested by the SIEM/XDR, the required field values must appear in the logs, and the parsing must be correct.

The CardinalOps platform has a series of automated validators to check for these prerequisites. However, the platform doesn’t simply identify issues, it provides detailed recommendations on how to fix broken rules. And if the fix can be implemented in the rule itself, it provides the mitigated rule in a pre-validated state that you can instantly push to your SIEM, after you have reviewed it.

Noisy rules are a little different – because every environment is different and only your team has the full context to understand exactly what changes in the environment have led to the rule becoming noisy. To accelerate your workflow, the platform performs a statistical analysis on the noisiest rules to pinpoint specific field/value pairs that are most responsible for triggering the alerts. It then provides recommendations on how to tune the rules using exclusions derived from the statistical analysis.

All new and mitigated rules are subjected to an automated Impact Analysis before deployment.  This process simulates the alerts that would have been generated over the past 90 days (or other customizable period) – based on your historical log data – had the new or mitigated rule been in place in your SIEM/XDR. The purpose of this automated check is to ensure that the new or mitigated rules won’t generate unnecessary noise or false positives.

Additionally, each new rule recommendation documents a series of validation steps that can be taken in your environment to trigger the rule (such as adding a new MFA option to an existing user in your Active Directory admin console, which can be an indication of malicious activity).

Some organizations also go through an extra step before deploying new rules to their SIEM/XDR, whereby they deploy them in “silent mode” that only generates email alerts to the detection engineering team rather than creating notables (incidents or offenses) for SOC analysts. This configuration is directly managed in the CardinalOps console and is typically used for a week or so before the rule is fully deployed.

Deployment of new and mitigated rules can also be restricted to specific change windows that you specify based on your organizational procedures. Some organizations also leverage the CardinalOps platform API to push new rules into production via GitHub CI/CD workflows rather than from a button in the CardinalOps console.

The platform includes a series of reports for validating your organization’s detection posture and answering common questions from leadership such as “How exposed are we?” and “How prepared are we to detect the latest threats?”

These reports are also essential for driving and tracking continuous improvement in ATT&CK coverage over time, based on your organizational priorities.

The platform relies on a database of more than 5,000 best practice detections that have been curated over time by our team of world-class security researchers with nation-state expertise.

Platform users can also search our rule catalog using specific parameters of interest such as Technique number, CVE, log source type, application, etc.