Detection Engineering is not about having the tehnical skills to understand attacks and build detections for them. The supporting process, as with any, is as important as the technical skills needed.

Process

Validate

sdf

Regular checks

Review failed detctions

Awsome! You have implemented all the best practices, but some of your detections never return the results you would expect. It may be because the rule simply never completes because of some error, review these failed runs periodically.

Detection Output

Building a good detection is one thing, having analysts that know how to respond to the output is a second. Be aware that you know the ins and outs of that detection, this information should be translated for analysts to respond and contain the incident acuaratly.

Risk Reward Ratio

Detection as code

Agile Detections

Detections are agile objects, they can be changed based on new intelligence, false positives, incident response investigations and many other reasons. Having a detection as static object would result in

Static detections are not valuable as they are pround to changes