Documentation
Custom Threat Models
Define detection rules using event sequences, conditions, and time windows.
Overview
Custom threat models let you define your own detection rules beyond SOCWarden's built-in behavioral detections. Instead of relying solely on predefined patterns like brute force or impossible travel, you can create rules that match your application's specific threat landscape — insider threats, business logic abuse, or multi-step attack chains unique to your domain.
Threat models are evaluated by the ThreatModelEngineinside the dashboard's alert consumer. When an enriched event arrives, it is checked against all active threat models for your organization. Matching events generate alerts with the severity and metadata you define.
Custom threat models require a Pro or Business plan. Free and Starter plans use the built-in detection rules only.
Operators
Threat models are built from a set of operators that define how events are matched, sequenced, and filtered.
| Operator | Description | Example |
|---|---|---|
event_match | Match a single event type | auth.login.failure |
FOLLOWED_BY | Event A then Event B within time window | auth.login.success → account.role.changed within 300s |
AND | Both conditions must match | auth.login.failure AND is_tor = true |
OR | Either condition matches | data.exported OR data.deleted |
NOT | Exclude matching events | NOT auth.logout |
Wildcard Patterns
Use wildcard patterns to match groups of related event types without listing each one individually. The * character matches any segment(s) in the event type.
auth.*Matches all authentication events: auth.login.success, auth.login.failure, auth.logout, auth.mfa.enabled, etc.
server.ssh.*Matches all SSH-related server events: server.ssh.login.success, server.ssh.login.failure, server.ssh.session.opened, etc.
data.*Matches all data events: data.exported, data.deleted, data.imported, data.accessed, etc.
Time Windows
The FOLLOWED_BY operator requires a within_seconds parameter that defines the maximum time between the first and second event.
{
"event_match": "auth.login.success",
"followed_by": {
"event_match": "account.role.changed",
"within_seconds": 300
}
}Examples
Click each example below to expand the full threat model definition.
Detects when a user logs in successfully and then has their role changed within 5 minutes. This pattern indicates either an insider threat or a compromised account being elevated.
{
"name": "Privilege Escalation After Login",
"severity": "critical",
"rules": [
{
"event_match": "auth.login.success",
"followed_by": {
"event_match": "account.role.changed",
"within_seconds": 300
},
"conditions": {
"AND": [
{ "field": "actor_id", "op": "eq", "bind": "same_actor" }
]
}
}
]
}Detects when a role change is followed by a data export within 10 minutes. This sequence suggests an attacker escalating privileges and then extracting sensitive data.
{
"name": "Data Exfiltration Pattern",
"severity": "critical",
"rules": [
{
"event_match": "account.role.changed",
"followed_by": {
"event_match": "data.exported",
"within_seconds": 600
},
"conditions": {
"AND": [
{ "field": "actor_id", "op": "eq", "bind": "same_actor" }
]
}
}
]
}Detects 5 or more failed login attempts from the same IP followed by a successful login within 5 minutes. This is a classic indicator of credential compromise.
{
"name": "Brute Force → Successful Login",
"severity": "high",
"rules": [
{
"event_match": "auth.login.failure",
"count_gte": 5,
"followed_by": {
"event_match": "auth.login.success",
"within_seconds": 300
},
"conditions": {
"AND": [
{ "field": "ip", "op": "eq", "bind": "same_ip" }
]
}
}
]
}Creating a Threat Model
Follow these steps to create a new threat model in the SOCWarden dashboard.
Navigate to Settings > Threat Models
Open the SOCWarden dashboard and go to Settings > Threat Models. This page lists all active and disabled threat models for your organization.
Click "Create Threat Model"
Click the button in the top-right corner. A form will open with fields for name, description, severity (low/medium/high/critical), and the rule definition.
Define your rules
Use the JSON editor or the visual rule builder to define your event_match, FOLLOWED_BY chains, conditions (AND/OR/NOT), and time windows. The editor provides autocomplete for event types.
Test with historical events
Click "Test Rule" to run your threat model against the last 24 hours of events. This shows how many times it would have triggered, helping you tune before enabling.
Enable and save
Toggle the threat model to "Active" and save. It will begin evaluating incoming events immediately. Alerts generated by custom threat models appear in the Alert Queue with your defined severity.
Built-in Kill Chain Detection
SOCWarden automatically detects 5 multi-step attack kill chains on Pro+ plans. These require no configuration and always classify as FLASH-tier alerts (highest priority).
Account Takeover
FLASHlogin (new geo) → email change → password change
Detects the classic account takeover pattern: a login from an unusual location followed by the attacker changing the email and password to lock out the legitimate user.
Insider Exfiltration
FLASHdata access (high volume) → export → download
Identifies potential data theft by an insider who accesses a large volume of records, exports them, and downloads the export.
Server Compromise
FLASHSSH login → user created → cron added
Detects server-level compromise where an attacker gains SSH access, creates a new user for persistence, and installs a cron job for recurring access.
Privilege Escalation
FLASHlogin → role change → admin action
Identifies escalation attacks where an account is compromised, its role is elevated, and administrative actions are immediately performed.
Defense Evasion
FLASHfirewall rule removed → log cleared
Detects attempts to cover tracks by removing firewall rules and clearing logs to hide evidence of unauthorized access.