CyberDax Detection Companion
Report Type
Training
Purpose
This companion guide provides a structured framework for translating behavioral threat hunting into detection-oriented thinking.
It is designed to answer four critical questions:
· What behavior should be detectable
· What observable signals may expose that behavior
· What telemetry sources are required to observe those signals
· What type of detection approach is most appropriate
This is not a production detection guide.
It is a behavioral detection mapping guide designed to improve analytical clarity and detection strategy.
Why This Companion Exists
Heuristic threat hunting teaches analysts how to recognize suspicious behavior.
The next logical step is understanding how that behavior could be identified more consistently.
This companion bridges the gap between:
· behavior-first analysis
· detection-oriented reasoning
It does not provide deployable detections.
It provides the structure required to think clearly about detection opportunities and limitations.
Core Detection Philosophy
CyberDax detection philosophy follows a simple model:
Behavior creates signals.
Signals require telemetry.
Telemetry enables detection.
Detection should begin with attacker behavior, not tools, signatures, or indicators.
The question is not:
What signature can be written for this tool
The correct question is:
What must the attacker do, and what evidence does that activity create
Detection Mapping Model
Detection is mapped conceptually through four layers.
Behavior
The action performed by the attacker.
Examples include:
· execution of code
· credential access
· persistence establishment
· external communication
· data staging or exfiltration
Signal
A signal is any observable event or pattern that may indicate behavior inconsistent with expected system or user activity.
Signals represent evidence that behavior has occurred.
Examples include:
· abnormal parent-child process relationships
· encoded or obfuscated execution
· access to sensitive memory or token stores
· rare or first-seen outbound connections
· archive creation followed by transfer activity
Telemetry
The data sources required to observe signals.
Examples include:
· endpoint process telemetry
· authentication and identity logs
· DNS activity
· proxy or network traffic
· email and user interaction telemetry
Detection Approach
The general method used to identify suspicious activity.
Examples include:
· single-event alerting
· contextual analytics
· correlated behavioral detection
· hunt-only logic
· enrichment-supported triage
Detection Approach Types
Different behaviors require different detection strategies.
Single-Event Detection
Used when:
· the behavior is rare
· the behavior is high-confidence
· false positive risk is low
Example:
· unauthorized access to protected credential stores
This approach is appropriate when a single event is sufficient to justify investigation.
Contextual Detection
Used when:
· the event alone is not sufficient
· legitimacy depends on user, system, or environment
Example:
· administrative tool execution on a non-administrative system
This approach requires contextual understanding rather than simple matching.
Correlated Detection
Used when:
· multiple low-confidence signals form a pattern
· activity spans multiple systems or telemetry sources
· no single event is sufficient
Example:
· document execution followed by script execution and external communication
This is often the most effective approach for modern threat activity.
This approach scales because it prioritizes patterns of behavior rather than individual events, allowing analysts to focus on high-risk activity without reviewing all telemetry.
Hunt-Only Detection
Used when:
· signals are too noisy for alerting
· confidence is insufficient for automated escalation
· interpretation depends heavily on environment
Example:
· uncommon but potentially legitimate command-line variations
Hunt-only logic remains valuable.
Not all detection logic should generate alerts.
Telemetry Prioritization Model
Certain telemetry sources consistently provide higher detection value for behavioral analysis.
Entry Telemetry
Includes:
· email delivery and interaction
· link access
· file delivery and execution
This provides context for how activity originated.
Execution Telemetry
Includes:
· process creation
· command-line activity
· script execution
· parent-child relationships
· memory interaction behavior
Execution telemetry is often the most critical because attackers must execute code to achieve objectives.
Communication Telemetry
Includes:
· DNS activity
· proxy traffic
· outbound connections
· rare or first-seen destinations
This provides validation of external interaction following execution.
Telemetry Correlation Principle
Detection strength increases when telemetry spans:
· how activity started
· what executed
· what communicated
Single-source detection provides limited visibility.
Multi-source correlation provides higher confidence.
Behavior-to-Detection Examples
Behavior reveals what attackers must do to succeed.
The following are conceptual examples.
They are not production detections.
Suspicious Document-Led Execution
Behavior
A user-facing document triggers script or command execution.
Signals
· Office application spawning a script interpreter
· unusual or encoded command-line content
· execution shortly after document interaction
Telemetry
· endpoint process telemetry
· email and user interaction logs
Detection Approach
Correlated or contextual detection
Explanation
The parent-child relationship may be suspicious, but confidence increases when tied to user interaction and subsequent activity.
Suspicious External Communication
Behavior
A process initiates communication with an unusual or low-frequency external destination.
Signals
· rare domain resolution
· first-seen destination
· process-linked outbound communication
Telemetry
· DNS logs
· proxy logs
· endpoint network telemetry
Detection Approach
Contextual or correlated detection
Explanation
Infrastructure alone is often insufficient. Confidence increases when combined with suspicious execution.
Credential Access Behavior
Behavior
A process accesses credentials, tokens, or protected authentication material.
Signals
· access to sensitive memory or token stores
· behavior inconsistent with process function
· follow-on authentication anomalies
Telemetry
· endpoint telemetry
· authentication logs
Detection Approach
Single-event or correlated detection depending on context
Explanation
Confidence depends on process legitimacy and subsequent activity.
Staging and Exfiltration Behavior
Behavior
Data is collected, compressed, or packaged before transfer.
Signals
· archive creation
· staging in unusual locations
· outbound transfer following staging
Telemetry
· file activity
· endpoint telemetry
· network or proxy logs
Detection Approach
Correlated detection
Explanation
Individual actions may be benign. The sequence creates confidence.
Detection Design Questions
Before designing any detection, analysts must evaluate:
· What behavior is being identified
· What observable signal indicates that behavior
· What telemetry is required to detect it
· Whether a single event is sufficient or correlation is required
· What legitimate activity may appear similar
· Whether the detection should alert, enrich, correlate, or support hunting
This approach does not require investigation of all low-signal activity.
It prioritizes escalation based on correlated behavior, allowing analysts to reduce missed detections without increasing overall investigation volume.
What This Companion Does Not Provide
This document does not include:
· production-ready detection rules
· thresholds or tuning logic
· alert suppression strategies
· platform-specific implementations
· correlation timing or sequencing logic
These elements require environment-specific engineering and operational validation.
Practical Use of This Companion
This guide should be used to:
· support detection planning
· improve analyst reasoning
· identify telemetry gaps
· determine appropriate detection approaches
· distinguish between alertable and hunt-only behavior
It is not a replacement for detection engineering.
Strategic Value
Behavior-first detection mapping shifts the focus from:
Do we have an indicator for this activity
to:
Would we observe this behavior if it occurred in this environment
This results in more durable and effective detection coverage.
Final Principle
Indicators confirm what is already known.
Behavior reveals what attackers must do to succeed.
Behavior evolves more slowly than indicators and is constrained by the actions attackers must perform.
Detection strategies are most effective when they focus on behavior that cannot be easily changed.
