Skip to content

docs: Behavioral detection patterns and .mtd in suppression keys#95

Merged
maximelb merged 1 commit intomasterfrom
docs/behavioral-detection
Feb 22, 2026
Merged

docs: Behavioral detection patterns and .mtd in suppression keys#95
maximelb merged 1 commit intomasterfrom
docs/behavioral-detection

Conversation

@maximelb
Copy link
Contributor

@maximelb maximelb commented Feb 22, 2026

Summary

  • New page: Behavioral Detection (3-detection-response/behavioral-detection.md) documenting suppression-based detection patterns
  • Updated Response Actions reference to document the .mtd namespace in suppression key templates
  • Added nav entry in mkdocs.yml

New Page: Behavioral Detection

Documents four detection patterns that work using existing D&R rules and suppression:

  • First-Seen Detectionmax_count: 1 suppression as a first-seen detector, with examples for event fields (new domain, new process hash, new login source) and lookup-derived values (GeoIP country, ASN, threat intel category via .mtd)
  • Cardinality Detection — two-rule dedup+count pattern for unique-count thresholds (DGA/C2 beaconing, lateral movement, excessive external connections)
  • Volume Detectioncount_path for cumulative metric thresholds (data exfiltration)
  • Multi-Signal Aggregation — shared suppression counters across rules for composite risk indicators

Includes parameter reference table, template namespace documentation, and a clear limitations section.

Updated: Response Actions

Added to the suppression section:

  • Documents the three template namespaces for keys: .event.*, .routing.*, .mtd.*
  • Complete GeoIP example showing country code in a suppression key
  • Cross-link to the new behavioral detection page

Dependency

The .mtd namespace in suppression keys depends on refractionPOINT/dr-engine#217.

Test plan

  • Verify mkdocs builds without errors
  • Verify all internal links resolve
  • Review YAML examples for correctness

🤖 Generated with Claude Code

@maximelb @claude
docs: Add behavioral detection patterns documentation
e9f7bb7 
Document the suppression-based behavioral detection capabilities that
exist in the D&R engine, including first-seen detection, cardinality
thresholds, volume thresholds, and multi-signal aggregation.

Also documents the new .mtd namespace in suppression key templates
(from refractionPOINT/dr-engine#217) which allows lookup-derived
values like GeoIP country to be used in suppression keys. This
enables single-rule first-seen detection patterns such as "first
time user logs in from a new country."

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@maximelb maximelb marked this pull request as ready for review February 22, 2026 21:34
@maximelb maximelb merged commit 5d63c0d into master Feb 22, 2026
2 of 3 checks passed
@maximelb maximelb deleted the docs/behavioral-detection branch February 22, 2026 21:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lcbill lcbill lcbill approved these changes

@tekgrunt tekgrunt Awaiting requested review from tekgrunt

@steveatlc steveatlc Awaiting requested review from steveatlc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maximelb @lcbill