Threat Detection
Understand how CastellanAI identifies and prioritizes security threats across your organization.
CastellanAI uses rule-based detection, AI analysis, threat intelligence, and behavioral analysis simultaneously for comprehensive coverage.
Overview
CastellanAI uses multiple detection methods to identify threats. Detected threats appear in the Security Events page with severity ratings and recommended actions.
How Threats Are Detected
- 📋 Rule-Based
- 📊 Behavioral
- 🔍 Signatures
- 🤖 AI Analysis
- 🌐 Threat Intelligence
Rule-Based Detection
Windows Event Log patterns mapped to specific attack techniques.
| Category | Description |
|---|---|
| Authentication | Login successes/failures, brute force attempts |
| Privilege Escalation | Unauthorized elevation of user privileges |
| Process Creation | Suspicious process execution and command lines |
| Service Installation | New services installed (potential persistence) |
| Scheduled Tasks | Task scheduling for persistence or execution |
| Account Management | User/group creation, modification, deletion |
| Security Policy Changes | Audit policy and security setting modifications |
| PowerShell Execution | Script execution and encoded commands |
Behavioral Analysis
Advanced pattern detection for identifying threats:
| Analysis Type | What It Detects |
|---|---|
| Burst Activity | High volume of events in short time |
| Correlation | Related events across systems |
| Anomaly Detection | Deviations from baseline behavior |
Events flagged by behavioral analysis show additional scores:
- Correlation Score - How strongly events are related
- Burst Score - Intensity of activity spike
- Anomaly Score - Deviation from normal patterns
High correlation + high burst scores together often indicate an active attack in progress.
Signature Matching
Known malware families detected via YARA rules:
- 70+ built-in rules for common malware
- Import custom rules from community sources
- Automatic updates for new threat signatures
AI-Powered Detection
Novel threats and attack sequences identified through:
- Pattern recognition across multiple events
- Context-aware analysis considering environment
- Confidence scoring for detection accuracy
- Recommendation generation for response actions
Threat Intelligence Sources
| Source | Coverage |
|---|---|
| VirusTotal | 70+ antivirus engine results |
| MalwareBazaar | Known malware samples database |
| AlienVault OTX | Community threat intelligence and IOCs |
Threat intelligence is automatically enabled for all subscription tiers. No configuration required.
MITRE ATT&CK Mapping
Each detection rule maps to specific MITRE ATT&CK techniques:
| Event | Technique ID | Technique Name |
|---|---|---|
| 4625 (Failed logon) | T1110 | Brute Force |
| 4672 (Special privileges) | T1078 | Valid Accounts |
| 7045 (Service installed) | T1543.003 | Windows Service |
| 4698 (Scheduled task) | T1053.005 | Scheduled Task |
See MITRE ATT&CK for the complete framework mapping.
Understanding Threat Severity
- 🔴 Critical
- 🟠 High
- 🟡 Medium
- 🟢 Low
Critical (Score 90-100)
Immediate investigation needed
| Typical Recommendations |
|---|
| Isolate device immediately |
| Block user account |
| Escalate to security team |
Critical threats should be investigated within minutes, not hours.
High (Score 70-89)
Investigate within 4 hours
| Typical Recommendations |
|---|
| Investigate logs thoroughly |
| Scan related systems |
| Notify IT team |
Medium (Score 40-69)
Review within 24 hours
| Typical Recommendations |
|---|
| Monitor for recurrence |
| Document findings |
| Review related activity |
Low (Score 1-39)
Monitor for patterns
| Typical Recommendations |
|---|
| No immediate action required |
| Review in weekly summary |
| Note for trend analysis |
Viewing Detected Threats
Security Events Page
Navigate to Security Events in the sidebar to see all detected threats.
| Display Element | Description |
|---|---|
| Summary Cards | Total events, open events, critical threats, average risk |
| Event List | All events with severity badges and status |
| Platform Filter | Filter by Windows, Linux, or macOS |
Event Details
Click any event to see complete information:
| Section | Content |
|---|---|
| Severity and Platform | Risk level and source OS |
| Event Type | Category of security event |
| MITRE ATT&CK Techniques | Mapped attack techniques |
| Machine and User | Affected device and user account |
| Behavioral Scores | Correlation, burst, and anomaly scores |
| AI Analysis | AI-generated recommendations |
Managing Detection Rules
Detection Rules Page
Navigate to Detection Rules in the sidebar to view and manage rules.
You can:
- View all active detection rules
- Enable or disable specific rules
- See hit counts and last triggered times
- Filter by category or threat level
🔧 Custom Rules (Enterprise)
Enterprise tier customers can create custom detection rules:
- Go to Detection Rules
- Click Add Rule
- Define the detection criteria
- Map to MITRE ATT&CK techniques
- Set severity and notification preferences
Detection Notifications
Configure notifications in Settings:
- Set severity thresholds for alerts
- Choose notification channels
- Select event types that trigger notifications
Best Practices
✅ Detection Best Practices
| Do | Don't |
|---|---|
| Review critical threats immediately | Let high-severity alerts sit unaddressed |
| Check for event patterns | Investigate events in isolation |
| Use MITRE ATT&CK context | Ignore threat technique classifications |
| Monitor behavioral scores | Focus only on rule-based detections |
| Document your response | Skip documentation steps |
What's Next?
| Guide | Description |
|---|---|
| Malware Scanning | File-based threat detection |
| MITRE ATT&CK | Threat classification framework |
| Investigating Events | Deep-dive investigation techniques |