Threat Detection
Understand how CastellanAI identifies and prioritizes security threats across your organization.
Overview
CastellanAI uses multiple detection methods to identify threats, including rule-based detection with MITRE ATT&CK mappings, AI-powered analysis, threat intelligence databases, and behavioral patterns. Detected threats appear in the Security Events page with severity ratings and recommended actions.
How Threats Are Detected
Multi-Layer Detection
CastellanAI uses several detection methods simultaneously:
| Method | What It Detects |
|---|---|
| Rule-Based Detection | Windows Event Log patterns mapped to specific attack techniques |
| Behavioral Analysis | Burst activity, correlated events, anomalous behavior patterns |
| Signature Matching | Known malware families via YARA rules |
| AI Analysis | Novel threats, attack sequences, subtle indicators |
| Threat Intelligence | Known malware, suspicious file hashes, malicious indicators |
Detection Rule Categories
CastellanAI monitors for these security event types:
| Category | Description |
|---|---|
| Authentication | Login successes/failures, brute force attempts |
| Privilege Escalation | Unauthorized elevation of user privileges |
| Process Creation | Suspicious process execution and command lines |
| Service Installation | New services installed (potential persistence) |
| Scheduled Tasks | Task scheduling for persistence or execution |
| Account Management | User/group creation, modification, deletion |
| Security Policy Changes | Audit policy and security setting modifications |
| Network Events | Suspicious network connections and traffic |
| PowerShell Execution | Script execution and encoded commands |
MITRE ATT&CK Mapping
Each detection rule maps to specific MITRE ATT&CK techniques. For example:
- Event 4625 (Failed logon) → T1110 (Brute Force)
- Event 4672 (Special privileges) → T1078 (Valid Accounts)
- Event 7045 (Service installed) → T1543.003 (Windows Service)
- Event 4698 (Scheduled task created) → T1053.005 (Scheduled Task)
See MITRE ATT&CK for the complete framework mapping.
Threat Intelligence Sources
CastellanAI integrates with leading threat intelligence services:
| Source | Coverage |
|---|---|
| VirusTotal | 70+ antivirus engine results for file hash lookups |
| MalwareBazaar | Known malware samples and indicators database |
| AlienVault OTX | Community threat intelligence and IOCs |
Threat intelligence is automatically enabled for all subscription tiers. No configuration required.
Behavioral Analysis
CastellanAI performs advanced behavioral analysis:
| Analysis Type | What It Detects |
|---|---|
| Burst Activity | High volume of events in short time (potential attack in progress) |
| Correlation | Related events across systems indicating coordinated activity |
| Anomaly Detection | Deviations from baseline behavior patterns |
Events flagged by behavioral analysis show additional scores:
- Correlation Score - How strongly events are related
- Burst Score - Intensity of activity spike
- Anomaly Score - Deviation from normal patterns
Understanding Threat Severity
When a threat is detected, CastellanAI assigns a severity level:
| Severity | Risk Score | Action Required |
|---|---|---|
| Critical | 90-100 | Immediate investigation needed |
| High | 70-89 | Investigate within 4 hours |
| Medium | 40-69 | Review within 24 hours |
| Low | 1-39 | Monitor for patterns |
Viewing Detected Threats
Security Events Page
Navigate to Security Events in the sidebar to see all detected threats.
The page displays:
- Summary Cards - Total events, open events, critical threats, average risk score
- Event List - All security events with severity badges, platform indicators, and status
- Platform Filter - Filter events by Windows, Linux, or macOS
Event Details
Click any event to see complete information:
- Severity and Platform - Risk level and source operating system
- Event Type - Category of security event detected
- MITRE ATT&CK Techniques - Mapped attack techniques
- Machine and User - Affected device and user account
- Confidence Score - Detection confidence percentage
- Behavioral Scores - Correlation, burst, and anomaly scores when applicable
- AI Analysis - AI-generated analysis and recommendations
- IP Addresses - Associated network addresses with enrichment data
Responding to Threats
Recommended Actions
Each threat includes recommended actions based on severity:
| Severity | Typical Recommendations |
|---|---|
| Critical | Isolate device, block user, escalate to security team |
| High | Investigate logs, scan related systems, notify IT |
| Medium | Monitor for recurrence, document findings |
| Low | No immediate action, review in weekly summary |
Taking Action from Dashboard
- Click the event to open the detail modal
- Review the AI Analysis and recommendations
- Check related MITRE ATT&CK techniques for context
- Update status as you investigate (Investigating, Resolved, False Positive)
See Taking Action for detailed response procedures.
Managing Detection Rules
Detection Rules Page
Navigate to Detection Rules in the sidebar to view and manage detection rules.
You can:
- View all active detection rules
- Enable or disable specific rules
- See hit counts and last triggered times
- Filter by category or threat level
Custom Rules
Enterprise tier customers can create custom detection rules:
- Go to Detection Rules
- Click Add Rule
- Define the detection criteria
- Map to MITRE ATT&CK techniques
- Set severity and notification preferences
Detection Notifications
Get notified immediately when threats are detected:
- Navigate to Settings in the sidebar
- Configure notification channels (Teams, Slack, Email)
- Set severity thresholds for alerts
- Choose which event types trigger notifications
Real-Time Detection
CastellanAI provides real-time threat detection:
- Agent Streaming - Security events stream from agents via SignalR
- Instant Analysis - Events are analyzed as they arrive
- Live Dashboard - Security Events page updates automatically
- Immediate Alerts - Notifications sent within seconds of detection
Best Practices
- Review critical threats immediately - Don't let high-severity alerts sit unaddressed
- Check for patterns - Multiple related detections may indicate an ongoing attack
- Use MITRE ATT&CK context - Understand the attack technique to respond appropriately
- Monitor behavioral scores - High correlation or burst scores indicate active threats
- Document your response - Track investigation steps for compliance and learning
What's Next?
- Malware Scanning - Learn about file-based threat detection
- MITRE ATT&CK - Understand threat classification framework
- Investigating Events - Deep-dive investigation techniques