Threat Detection

Threat Detection refers to the process of identifying, monitoring, and analyzing potential security threats, vulnerabilities, and risks within computing environments. It requires a comprehensive understanding of the system or environment being protected, as well as knowledge of the latest security threats and attack techniques. This makes it a crucial component of any comprehensive security strategy, helping to safeguard critical assets and information.

Our real-time threat detection system leverages the capabilities of the thatDot Streaming Graph platform, which includes both Quine Enterprise and Novelty Detector. The thatDot platform performs real-time graph ETL on event streams. We have created two systems (Rule-based & Novelty-based) built on top of the Streaming Graph that work together to provide a multilayered and thorough approach to Threat Detection. Infrastructure logs (or any other logs) from the onboarded account are streamed to both the Rules-based and Anomaly-based systems, which analyze the data to identify novel events and evaluate rules to detect anomalies, flagging threat-like behavior.

The first detection system is the Rule-based system. This system uses rules to query the Stream Graph after every event to see if any of the rules were violated. We provide customers with a pre-configured set of rules based on industry standards such as MITRE attacks. Customers can customize this system by adding their own rules or editing existing rules from our ruleset. Like all Rule-based systems, there are pros and cons. Rules allow customers to efficiently catch bad behavior, but cyberattacks may not follow a known pattern, leaving an opening for attackers to exploit.

The second detection system addresses the above problem by looking for anomalies in behavior, built on top of the novelty detector from thatDot. This system performs real-time anomaly detection using categorical data. Once training is complete, this system scores all new events between 0 and 1 based on how unique these events are in the customer's environment. There are many different variations of bad behavior that can be caught using this system, such as Data Exfiltration, Insider Threats, Stolen Credentials, etc. Stream Graphs-based anomaly detection has an advantage over a Machine Learning approach because Machine Learning approaches are limited by the type of labeled data available for training the ML model.

Implementing Threat Detection in AWS Cloud:


  • To use threat detection, you need to provide S3 read-only access for the credentials used to connect your account.
  • Your Logs must have 62 days of logs stored for successful onboarding.

Getting started:

1. To get started, go to the threat detection page and click on the '+ Connect Account' button.

2. Follow these steps to connect your account:

  • Enter your CloudTrail name, which can be found under CloudTrail's Dashboard or Trails page.
  • Select the 'CloudTrail Home Region' from the CloudTrail's Trails page for the corresponding CloudTrail name.
  • Select the 'Logs S3 Bucket Region' from the Properties tab in the 'S3 bucket' link for the corresponding CloudTrail.
  • Choose the region you want to scan as the 'Threat Detection Scan Region'. Threat detection can be enabled for multiple regions on the connected account.

Detected Threats:

The Detected Threats page displays information on events flagged as anomalies in the account's activity, providing valuable insights and detailed metadata for suspicious activities.
It has three tabs -

1. Highest Score Observation:

Under the 'Highest Score Observation' tab, a graph tracks the streaming threat score over time, with a range from 0 to 1. A higher score indicates a more novel event. Events with a score of 0.9 or higher are considered unusual activity and may indicate a threat or attack on the account. The left side of the page contains cards with metadata on the latest high-scoring events.

Users can click on the plotted dots in the graph to view the associated metadata.

2. Rule Violations

The Rule Violations tab displays the most recent events flagged by the security rules evaluated by the Quine Streaming Graph.

By clicking on the Trace option on each event card, users can access a historical and future timeline of events associated with the rule violation. This trace feature provides valuable insights into the flagged suspicious activity, displayed in a time-series format progressing from top to bottom. Users can click on each card in the trace to view detailed metadata.

3. Threat Detection Rules

The Threat Detection Rules tab provides a list of rules and their descriptions, helping users understand the rules being evaluated against the streaming data.

Threat Detection Map:

The Threat Detection Map offers users graphical insights into their account's data by running queries selected from a drop-down menu. The resulting graph displays nodes and edges, with nodes labeled according to the type of entity they represent and edges indicating the direction and relationship between connected nodes.

Users can hover over a node to view metadata in a pop-up card, and double-click on a particular node to trace related events and gain deeper insights into their data.