Security teams are often overwhelmed by a flood of alerts, leading to alert fatigue and missed critical incidents. But what if you could cut through the noise and pinpoint the most serious and imminent threats to your organization? This is where Declarations of Compromise (DoC) from Clear NDR come into play.
What is a Declaration of Compromise (DoC)?
A DoC is a high-fidelity, asset-oriented security incident event generated by Clear NDR. It's designed to provide a clear starting point for investigation by identifying true organizational compromises with near-zero false positives. Think of it as a confident "declaration" that a serious threat, such as malware, lateral movement, or an advanced persistent threat (APT), has been detected against a specific asset in your network.
The Power of DoC: Noise Reduction and Actionable Intelligence
Traditional security monitoring often generates millions of network events. DoCs dramatically reduce this alert fatigue by transforming that vast amount of data into focused, actionable incidents. While Clear NDR collects extensive network metadata and discrete threat detections, DoCs simplify the incident responder's job by highlighting only the most critical events.
Each DoC maps to specific phases of the cyber security kill chain, providing a complete attack timeline from initial compromise through full blast radius analysis. This means you not only know what happened but also how the attack progressed and which assets are affected.
Key Characteristics of DoCs:
- Asset-oriented: Each DoC is associated with a single asset, with all evidence and insights linked to it.
- High confidence, high-fidelity: DoCs are triggered only under conditions of an active incident, ensuring accuracy.
- Low noise: While Clear NDR logs repeated detections, only the first one generates a DoC, preventing redundant alerts.
- Effective with UI or SIEM: DoC events contain comprehensive information, making them valuable whether you use the Clear NDR UI or a SIEM integration.
- Built-in and/or customized: Stamus Networks provides extensive built-in detections, updated daily, and Clear NDR allows users to create custom DoC rules through an "escalation" process.
Automating Your Response
DoCs are not just about detection; they're about action. They can seamlessly integrate with your existing security infrastructure through SIEM integrations and automated response capabilities via API integrations. This enables automated workflows like:
- Opening incident response (IR) tickets
- Isolating offending endpoints
- Blocking malicious IP addresses
- Initiating SOAR playbooks
- Sending instant messages to your security team
Transforming Security Operations
Declarations of Compromise represent a paradigm shift from reactive alert processing to proactive incident management. By giving security personnel precise, high-confidence starting points and comprehensive evidence, DoCs empower teams to focus their expertise on genuine threats, significantly enhancing the efficiency and effectiveness of modern cybersecurity operations.
Further Reading
For a more in-depth understanding, read our full Tech Brief on Declarations of Compromise and Declarations of Policy Violations on our website: https://www.stamus-networks.com/hubfs/Library/Documents%20(PDFs)/StamusNetworks-TB-FILTERS-072025-1.pdf
To learn how analysts can pivot from a DoC to a complete package of evidence in two clicks, check out this blog entitled “Two Clicks to Evidence,” here: https://www.stamus-networks.com/blog/reduce-mean-time-to-detection-2-clicks-to-evidence-with-clear-ndr
To understand how Clear NDR can dramatically reduce the costs associated with retaining network forensic evidence, read these two docs:
- Optimizing Clear NDR™ Storage with Conditional Logging - https://www.stamus-networks.com/hubfs/Library/Documents%20(PDFs)/StamusNetworks-TB-CONDITIONAL-LOG-042025-1.pdf
- Reduce the Costs of SIEM Data Retention with Clear NDR™ - https://www.stamus-networks.com/hubfs/Library/Documents%20(PDFs)/StamusNetworks-TB-CUT-SIEM-INGEST-042025-1.pdf
