Detection Engineering Resources - Part 2
A second collection of resources to help on the journey to Detection Engineering
I’ve had a couple people ask me for more information about Detection Engineering since my previous post on it, as well as after my presentation at a local Cybersecurity Meetup. Since it seems like there is interest, I went ahead and put together a second collection of resources that hopefully others may find interesting and/or helpful.
In case you missed Part 1, you can find it here:
Detection Engineering Resources
Cybersecurity has a wide range of disciplines and specializations. I’ve been lucky enough in my career to gain experience and get a taste of many of these different areas. The cybersecurity discipline that has been at the top of my mind and peaked my interest the most over the past couple years has been Detection Engineering.
Industry Frameworks
Snowflake shared their internal Detection Development Lifecycle and I’d say most organizations with Detection Engineering programs are doing something very similar (if not the same). The same can be stated for Palantir’s Alerting and Detection Strategy Framework. I highly recommend giving both of these a read:
Detection Development Lifecycle
Alerting and Detection Strategies Framework
Existing Detection Repositories
Many people are interested in seeing Detection Content examples and/or borrowing some from existing sources. Good news, there are excellent repositories for both Elastic and Splunk to look through:
Additionally, I’ve talked about Sigma before - but its a great vendor neutral source to find Detection Content:
Detection-as-Code
This skews more towards the advanced side of the topic, but here are some references that I think are great at conveying the concept in a simple way:
Can We Have “Detection as Code”?
From soup to nuts: Building a Detection-as-Code pipeline
Getting Started with Detection-as-Code and Chronicle Security Operations
Here is a Presentation that might be more digestible:
Testing Detections
One of the most important Phases of the Detection Development Lifecycle is the Testing of a rule/detection. During this Phase, the idea is to perform a test to make sure the rule/detection works as expected. Thankfully, there are open-source Adversary Emulation tools available to make this easy:
Maturity Matrix
Do you love a good Maturity Matrix? If so, you should enjoy this one focused on Measuring Detection Engineering Programs:
Detection Engineering Maturity Matrix
Conclusion
Hopefully you find these resources helpful/useful. Feel free to add additional resources in the comments. Thanks!