All articles
GUIDE · 6 min read

Detection Engineering 101

A good detection is high-fidelity, well-documented and tied to a real adversary technique. A bad one is a paste from a blog. Here's the workflow we use to build the first kind.

Start from the technique

Pick a MITRE ATT&CK sub-technique. Read the threat-intel reporting. Understand what the telemetry actually looks like.

Write, test, tune

Draft the rule, run it against historical logs, measure noise, tune until precision is acceptable. Document the why.

  • Detection name + ATT&CK ID
  • Data source + log fields used
  • False-positive notes and tuning history

Test continuously

Use Atomic Red Team or Caldera to fire the technique on a schedule. If your detection breaks, you find out — before the adversary does.

Tools mentioned

SigmaSplunkSentinelAtomic Red TeamCaldera
⟩ takeaway

Detection engineering is software engineering. Version control, tests and code review apply.

⟩ keep reading

Related articles