Anomaly Detection: Beyond Pattern Matching
Beyond Pattern Matching
The detection conversation always starts with rules. "How many Sigma rules do you support?" "Can you import our Elastic detections?" It's the first question everyone asks — and it's the wrong place to stop.
Sigma rules are pattern matching — filters that look for known-bad strings and field values. They're the simplest form of detection. Elastic rules go further — most convert easily, and even their ML-based detections can be deciphered and rebuilt as transparent, tuneable models. Splunk correlation searches convert too.
But all of this is the tip of the iceberg. The attacks that matter — credential theft chains, slow beaconing, lateral movement, privilege escalation, insider threats — don't match a pattern. They match a behavior.
How spotr.io does it?
Of course we run all the Sigma rules. All 3,000+. Concurrently. Sub-second. We convert Elastic rules — including their ML detections, rebuilt as transparent models you can actually tune. Splunk correlation searches too. That's day one. That's table stakes.
What's below the waterline:
Threshold & Aggregation — Count, rate, cardinality, group-by on the stream. Not in a scheduled query an hour later.
Statistical Anomaly Detection — Z-score, deviation, MAD, CUSUM, jitter. Detecting what's abnormal without writing a rule for every scenario.
Sequence & State Models — Multi-step attack chains with ordering, negation, and cross-source correlation. Real-time state tracking.
Behavioral Learning — New terms, rarity, trend analysis. Continuously adapting baselines per entity. "This has never happened before" is a detection.
Autonomous Coverage + AI SOC Analyst — Discovery → auto-deployed detections → automated triage. No human in the loop until the signal is ready.
Pattern matching is where detection starts. It's not where it ends.
The Conversation
"We already have Sigma rules." — Great. So do we. All of them. But what's running underneath?
"Can you import our Elastic detections?" — Yes. Including the ML ones — rebuilt as transparent models instead of black boxes.
"What detections do you have that rules can't express?" — That's the real conversation.