Skip to main content

Detection Writing

Defused provides high-fidelity attacker telemetry that you can use to create or refine security detections. Honeypots capture real exploit attempts, enumeration behaviour, and payload structure, making this data ideal for building regex patterns, SIEM rules, and correlation logic in platforms like Splunk, Elastic, Sentinel, or Chronicle.

Workflow

1. Identify a Suspicious Pattern

Start by reviewing high-severity alerts or filtered activity in the Intel Feed. Look for patterns in:

  • Request paths
  • Query parameters
  • Encoded or serialized payloads
  • Headers and user-agents
  • Traversal or injection indicators
  • Vendor-specific routes

These elements often form the basis of a detection.

2. Extract Key Indicators

From the suspicious requests or payloads, extract consistent, repeatable behaviour such as:

  • Traversal: ../ or %2e%2e
  • Serialized payload markers: rO0AB
  • Vendor-specific paths (e.g., FortiWeb /remote/fgt_lang)
  • Template injection markers like ?template=
  • Uncommon verbs or request sequences

You’ll use these indicators to build your detection logic.

3. Build a Regex or Detection Query

Using the extracted indicators, construct a regex or SIEM query.

Example: Detect traversal attempts (regex)
(\.\./|%2e%2e)

Example: Detect FortiWeb-style suspicious paths (regex)
\/(remote|error|debug)\/[A-Za-z0-9_\-]+

Example: Splunk (SPL) detection for traversal
index=web_logs | regex uri_path="(\.\./|%2e%2e)" | stats count by src_ip, uri_path, user_agent

These can be adapted to any SIEM or log source.

4. Validate Against Defused Telemetry

Export relevant Defused events as CSV and test your detection logic against real attacker data. Use this to:

  • Confirm true positives
  • Identify false positives
  • Tune regex patterns
  • Adjust SIEM search logic

Defused’s structured telemetry makes it easy to validate detection quality.

5. Deploy the Detection in Your SIEM

Once validated, deploy the rule in your SIEM of choice. Common destinations include:

  • Splunk: SPL correlation searches
  • Elastic: KQL/EQL rules
  • Microsoft Sentinel: KQL analytics rules
  • Chronicle: UDM queries
  • Suricata: Custom signatures

These detections can then alert when similar activity appears inside your environment.

Example Use Case: Building a Detection for an Emerging Fortinet Exploit

A user notices unusual, low-frequency requests on Defused FortiWeb decoys:

/remote/fgt_lang?lang=/../../../etc/passwd

They extract the important indicators:

  • Endpoint: /remote/fgt_lang
  • Parameter: lang=
  • Traversal pattern: /../../../

They create a regex detection:

remote\/fgt_lang.*(\/\.\.\/|\.\./)

Then deploy a Splunk rule using this pattern:

index=firewall_logs | regex uri_path="remote\/fgt_lang.*(\/\.\.\/|\.\./)" | stats count by src_ip, uri_path, user_agent

This results in a production-ready detection written directly from Defused telemetry.