The Limitations of Traditional Detections
Traditional detections are rule-based: if X happens, alert. This works well for known threats but has limitations:Rigid Logic
Rules only catch exactly what you specify. Attackers easily evade by slight variations.
High Maintenance
Rules require constant tuning as environments and threats evolve.
Context-Blind
Rules can’t consider broader context like user behavior patterns or organizational norms.
Signature-Dependent
Rules need known indicators. Novel attacks slip through.
How Pattern-Based Detection Works
Instead of writing rules, you deploy scheduled agents that:1
Observe Behavior
Agent queries your security tools to observe activity:
- User login patterns
- Process execution on endpoints
- Network communication
- Cloud resource access
- Email behaviors
2
Analyze Context
Agent analyzes with full context:
- Historical baselines for this user/host
- Peer behavior (similar roles/departments)
- Threat intelligence
- Organizational policies
- Time-of-day and day-of-week patterns
3
Identify Anomalies
Agent detects suspicious patterns:
- Deviations from normal behavior
- Unusual combinations of activities
- Timing anomalies
- Access to unexpected resources
4
Create Alerts
Agent generates alerts with rich context:
- What’s anomalous and why
- Supporting evidence
- Risk assessment
- Recommended response actions
Creating a Pattern-Based Detection Agent
1
Define the Behavior to Monitor
Decide what suspicious patterns you want to detect:
- User behavior anomalies
- Resource access patterns
- Configuration drift
- Communication anomalies
2
Determine Schedule
How often should the agent run?
- Hourly: For active monitoring
- Daily: For broader pattern analysis
- Weekly: For trend analysis and reporting
3
Create the Agent
Navigate to Agents > Create AgentConfigure:
- Name: “User Behavior Anomaly Detection”
- Type: Scheduled (Cron)
- Schedule: “0 */6 * * *” (every 6 hours)
- Tools: Grant access to relevant tools (SIEM, EDR, etc.)
4
Write the System Prompt
Write a detailed prompt explaining:
- What to look for (specific patterns)
- What context to consider (baselines, peer behavior)
- What to ignore (known false positives)
- How to format output (alerts, tickets, reports)
Learn about writing effective system prompts
5
Add Context Documents
Provide reference material:
- List of known false positives
- IT asset inventory (to understand normal software)
- Org chart (to understand peer groups and reporting relationships)
- Approved maintenance windows
6
Configure Actions
Define what the agent should do when it finds anomalies:
- Create Jira tickets
- Send Slack notifications
- Update a detection dashboard
- Quarantine/isolate automatically (for high-confidence threats)
7
Test & Deploy
Test the agent manually in Builder before enabling the schedule:
- Run against recent data
- Verify it identifies known suspicious patterns
- Check that it doesn’t over-alert
- Review output format and quality
8
Monitor & Tune
After deployment:
- Review agent findings daily for the first week
- Provide feedback on true positives vs. false positives
- Add new false positive filters to context docs
- Adjust schedule if needed (more/less frequent)
Creating Agents
Detailed guide on agent creation
Combining Rule-Based and Pattern-Based Detection
The most effective detection strategy combines both approaches:- Rule-Based Detection
- Pattern-Based Detection
Best for:
- Known threat techniques
- High-confidence indicators
- Real-time alerting
- Compliance requirements
- Detect PsExec execution
- Alert on failed login thresholds
- Monitor for specific malware signatures
Best Practice: Use rule-based detections for known threats requiring immediate response. Use pattern-based agents to hunt for novel threats and behavioral anomalies that evade signatures.
Tips for Effective Pattern-Based Detection
Start Broad, Then Focus: Begin with wide behavioral monitoring. As you identify common patterns, refine the agent to focus on high-value anomalies.
Provide Context Documents: Give the agent reference material like org charts, asset inventories, and known FP lists to improve accuracy.
Review Findings Regularly: Especially in the first few weeks, review agent findings to understand what patterns it’s identifying.
Enable Memories: Let agents store known false positive patterns and baselines for more consistent detection.
Combine with Rules: Use pattern-based detection to supplement, not replace, traditional detections.
Frequently Asked Questions
Won't this generate too many alerts?
Won't this generate too many alerts?
You control alert volume by:
- Specifying confidence thresholds in the prompt
- Defining what constitutes “suspicious” clearly
- Providing exclusion lists for known benign patterns
- Choosing output destinations (tickets vs. notifications)
How is this different from UEBA tools?
How is this different from UEBA tools?
UEBA tools use statistical models and machine learning to detect anomalies. Pattern-based detection agents use LLMs to understand context and reasoning.Benefits of agent-based approach:
- Explains why something is suspicious (not just a statistical outlier)
- Adapts to new threat patterns without retraining models
- Incorporates organizational context (roles, policies)
- You control the logic via prompts (no black box)
Can I use this for compliance monitoring?
Can I use this for compliance monitoring?
Yes! Deploy agents to monitor for:
- Policy violations (unauthorized access)
- Compliance drift (configuration changes)
- Audit requirements (privileged user monitoring)
How do I measure success?
How do I measure success?
Track these metrics:
- Detection Rate: Threats caught by the agent vs. missed
- False Positive Rate: Benign alerts vs. genuine findings
- Time to Detect: How quickly agent identifies suspicious activity
- Investigation Time: How long it takes analysts to act on agent findings