Question 1

How to convert legacy security alerts to the ADS format?

Accepted Answer

Start by mapping existing alerts to the nine-section template, documenting goals, context, and false positives. The README recommends a phased approach, beginning with a few alerts during an ADS hack week to build familiarity.

Question 2

Does the ADS Framework work with Splunk or Elastic SIEM?

Accepted Answer

Yes, the framework is tool-agnostic and can be adapted to any SIEM. However, you'll need to manually translate the ADS logic into search queries or rules, as no pre-built integrations are provided.

Question 3

ADS Framework vs Sigma rules: which is better for detection engineering?

Accepted Answer

ADS Framework is a process for developing and documenting alerts, while Sigma is a standardized rule format for sharing detections. They complement each other—ADS can use Sigma for technical implementation, but ADS adds rigorous documentation and validation steps.

Question 4

What are the blind spots and assumptions section in ADS?

Accepted Answer

This section requires documenting limitations and assumptions in the detection strategy, such as data source gaps or attacker evasion techniques, ensuring alerts are transparent about their coverage, as outlined in the framework.

Question 5

How to implement peer review for ADS in a remote team?

Accepted Answer

Use version-controlled platforms like GitHub for storing ADS documents and leverage pull requests for review. The README emphasizes peer review as critical, suggesting regular sessions to provide feedback on new alerts.

Question 6

Can ADS reduce false positives in security monitoring?

Accepted Answer

Yes, by requiring a dedicated 'False Positives' section where mitigations are documented, and through pre-production validation, the framework aims to tune alerts before deployment, reducing noise.

Alerting and Detection Strategies (ADS) Framework | Palantir

What is Alerting and Detection Strategies (ADS) Framework | Palantir?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions