Custom Detection Engineering

Enhance your threat visibility and response capabilities with bespoke detection rules and analytics, meticulously crafted by Kocho to fit your unique environment and security challenges.

Tailored Detections for Your Security Stack

Off-the-shelf detection rules provide a baseline, but true security resilience comes from detections tuned to your specific assets, threat landscape, and business context. We specialize in developing custom detections for leading security platforms:

Microsoft Sentinel: Leveraging Kusto Query Language (KQL) to build advanced analytic rules, scheduled queries, and hunting queries that identify sophisticated attack patterns and anomalous behaviors.
Microsoft Defender XDR: Creating custom detection rules within the Defender portal to flag specific activities across endpoints, identities, email, and cloud applications.
Sigma Rules: Developing and converting Sigma rules, a generic signature format for SIEM systems, allowing for portable and community-driven detection logic.
Log Analytics & Custom Data Sources: Ingesting and parsing custom log sources to build detections based on unique application logs or telemetry not covered by standard connectors.

Our Detection Engineering Process

We follow a structured approach to ensure our custom detections are effective, efficient, and maintainable:

Threat Modeling & Use Case Definition: Collaborating with your team to identify key threats, critical assets, and specific detection use cases relevant to your organization.
Data Source Analysis: Understanding available log sources and identifying gaps to ensure comprehensive coverage.
Rule Development & Testing: Iteratively developing and rigorously testing detection logic against historical data and simulated attacks to minimize false positives and maximize true positives.
Optimization & Performance Tuning: Ensuring detection queries are efficient and do not place undue load on your SIEM or security platforms.
Documentation & Knowledge Transfer: Providing clear documentation for each custom detection and offering training to your team for ongoing management and tuning.

Examples of Our Custom Detections

While default detections offer a starting point, Kocho's custom-engineered rules provide significantly higher fidelity by being tailored to your specific environment, threat model, and data sources. This means more relevant alerts, fewer false positives, and quicker identification of genuine threats. Below are just a few examples of the types of custom detections we build. We can create rules for virtually any log source you choose to ingest into your SIEM.

Detection Name	Description
KOCHO SECURITY - A new Lighthouse service provider was added	A service provider was added using Lighthouse.
KOCHO SECURITY - Azure VM Run Command or Custom Script execution detected	A user has either initiated a Azure VM Run Command or Custom Script execution.
KOCHO SECURITY - Suspicious Resource Deployment	This query looks for a few sensitive subscription-level events based on Azure Activity Logs.
KOCHO SECURITY - Unauthorised Azure Key Vault Secret Retrieval	Identifies unauthorised secret retrieval from Azure Key Vault.
KOCHO SECURITY - Google Drive Changes by None Document Owner	This rule looks for changes to a Google Drive file by someone other than the owner of the document.
KOCHO SECURITY - Activity from known suspicious user	Detects office activity from users listed on suspicious users list.
KOCHO SECURITY - File Downloaded and Written to USB	This rule searches for files downloaded from Office365 and then written to a removable USB drive.
KOCHO SECURITY - Malicious Mailbox Rules (BEC)	This rule searches for potentially malicious mailbox actions that could indicate email compromise.
KOCHO SECURITY - Rare Office operations by Risky Account	Identifies Office operations initated by risky admin accounts (AADRiskyUser).
KOCHO SECURITY - Service Accounts Performing Remote PS	The purpose behind this detection is for finding service accounts that are performing remote powershell sessions.
KOCHO SECURITY - Possible Remcos RAT Persistence	This rule looks for possible Remcos RAT persistence activity via registry key creation.
KOCHO SECURITY - Possible Remcos RAT Registry Activity	This rule looks for possible Remcos RAT persistence activity via disabling Windows notification centre and UAC.
KOCHO SECURITY - Bumblebee stings with ransomware - Injected process performing domain exploration activity	Look for processes injected by Cobalt Strike or Meterpreter named wab.exe, wabmig.exe, or ImagingDevices.exe.
KOCHO SECURITY - Bumblebee stings with ransomware - Living-off-the-land-binary technique for DLL execution	Looks for command line utilized for execution of rsp file which leads to execution of DLL using regsvr32.
KOCHO SECURITY - Bumblebee stings with ransomware - Malicious export functions in Bumblebee DLL	Look for command line which contains malicious export functions as listed in query: ("juwXYebIfE", "LeKGTMwkFQ", "dSjXqiVvQK", "SjVjlixjPb", "MDbJvVaNCR", "EPTsswwiRJ", "IternalJob", "YTBSBbNTWU", "AUjoZKdcSZ", "xshiMECwuG", "rBgTBiTTDW", "EUQtIMIQqE", "shjKeAQfgT", "zYKGjAgZov", "pGUAYVFxbN", "VcrbRMwpuk", "ZmJwfQQnqA", "zYKGjAgZov", "kXlNkCKgFC").
KOCHO SECURITY - CVE-2022-41040 & CVE-2022-41082 - Suspicious files in Exchange directories	Identifies potential ProxyNotShell attacks where suspicious files have been created by the Internet Information Service process on a Microsoft Exchange server.
KOCHO SECURITY - Local Admin Group Changes	This query searches for changes to the local administrators group.
KOCHO SECURITY - Potential unauthorised code executed from the browser	A user has executed code from one of the following locations: C:\, C:\Windows\System32\WindowsPowerShell\, C:\Windows\System32\cmd.exe, C:\Windows\System32\regedt32.exe, C:\Windows\SysWOW64\regedit.exe, \\C$\, \\SYSVOL.
KOCHO SECURITY - Windows Binaries Abused for Internal Network Enumeration	This rule will detect Windows binaries being abused to enumerate internal networks on certain ports like SMB and LDAP.
KOCHO SECURITY - Windows Binaries Abused for Malicious Web Requests	This rule will detect Windows binaries being abused to make web requests for downloading malware/exploits. Cobalt Strike typically utilises these techniques.
KOCHO SECURITY - Authentication Methods Added from Unmanaged Session	A rule to detect when new authentication methods are added to a user account from an unmanaged sign-in sessions.
KOCHO SECURITY - Potential VPN Usage from Unmanaged Device	Identifies VPN usage from unmanaged devices.
KOCHO SECURITY - SharePoint Activity from Unmanaged Session	This rule looks for Upload/Download operations in SharePoint from Unmanaged devices.
KOCHO SECURITY - Authentication Methods Changed for Privileged Account	Identifies authentication methods being changed for a privileged account.
KOCHO SECURITY - MFA Explicit Deny	Identifies explicit MFA denials.
KOCHO SECURITY - Multiple Password Reset by user	This query will determine multiple password resets for users via AuditLogs.
KOCHO SECURITY - Password reset on high privileged user	Identifies when the password of a user that is member of a high privileged role was reset.
KOCHO SECURITY - Dangerous API permission consented	One or more high priv API permission were granted to an application.
KOCHO SECURITY - Owner added to high privileged application	An owner was added to application holding high privileged API permissions.
KOCHO SECURITY - Secret added to high privileged application	A new secret was added to an high privileged application.
KOCHO SECURITY - Detect change to Conditional Access Policy	Detects any changes to Conditional Access Policies specifically outside of business hours or on weekends.
KOCHO SECURITY - Account Created from External Tenant	This query looks for an account being created from a domain that is not regularly seen in a tenant.
KOCHO SECURITY - Guest accounts added in Entra ID Groups other than the ones specified	This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.
KOCHO SECURITY - Guest Users Invited to Tenant by New Inviters	Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.
KOCHO SECURITY - High Privileged Role assigned	A user was assigned a high privileged role.
KOCHO SECURITY - User added to Microsoft Entra ID Privileged Groups	This will alert when a user is added to any of the Privileged Groups.
KOCHO SECURITY - New User Assigned to Privileged Role	Identifies when a privileged role is assigned to a new user.
KOCHO SECURITY - Risky Identity Protection Event	This rule is designed to create an incident based on medium and high severity identity protection risky events - this is to replace traditional rules such as impossible travel.
KOCHO SECURITY - Entra User Risk Event	This rule is designed to create an incident based on medium and high severity identity protection risky events - this is to replace traditional rules such as impossible travel.
KOCHO SECURITY - TI Map IP Entity to DeviceNetworkEvents	Identifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI.
KOCHO SECURITY - TI Map IP Entity to SigninLogs	This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.
KOCHO SECURITY - Non Domain Controller Active Directory Replication	This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).
KOCHO SECURITY - Security Event Log Cleared	Queries for events with Event ID 1102, which indicates that event logs have been cleared on monitored systems.
KOCHO SECURITY - User account added to built in domain local or global group	Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins.

This is a sample list. Our full library is extensive and constantly evolving to counter new threats.

Benefits of Custom Detection Engineering

Reduced False Positives: Detections tailored to your environment are less likely to trigger on benign activity.
Early Detection of Targeted Attacks: Identify threats that generic rules might miss by focusing on indicators specific to your organization.
Improved Alert Prioritization: Custom detections can be assigned appropriate severity levels based on their relevance to your business.
Enhanced Threat Hunting: Provide your security analysts with powerful, targeted queries for proactive threat hunting.
Compliance & Regulatory Alignment: Develop detections to meet specific compliance requirements and monitor for policy violations.

Let Kocho empower your security team with custom detections that provide true insight and actionable intelligence.