Detection Use Cases

Sift Security provides two distinct detection mechanisms: a custom rules engine and an advanced anomaly detection platform.1 Both tools come with built-in support for common use cases and are extensible, enabling users to easily add detection features on the fly.

The Sift detection tools are advantageous because they leverage existing data are are lightweight, customizable, and extensible. Our detectors provide additional value on top of existing tools, such as firewalls and traditional AV and IDS, and are specifically tailored to detect common phases of cyber-attacks. Instead of providing individual alerts, Sift Security considers these alerts in context, prioritizing alerts that are components of a more serious attack.

This document describes some of the use cases supported out-of-the-box by our custom rules engine and advanced anomaly detection platform. Each detection is described in the context of the cyber kill chain, which can be partitioned into the following phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. For each detection described below, the types of data sources used to support it are listed.



The weaponization phase typically occurs on the attacker’s end, leaving no detectable artifacts on the victim’s network.




Command and control

Actions on Objectives