This article discusses a structured methodology for building detection rules within a CI/CD pipeline, highlighting the steps for scalability and sustainability in detection engineering. Key points include the importance of metadata, a validation framework, and automated CI/CD practices. Affected: Sekoia.io, detection engineering practices, DevOps sector
Keypoints :
- Detection engineering requires careful attention and expertise to align with developer practices.
- Detection rules are composed of metadata and detection patterns, with Sigma in YAML format being used at Sekoia.io.
- Complex detection rules are avoided for better manageability, focusing instead on TTPs.
- Documentation of the Alerting and Detection Strategy is crucial for validation and false positive management.
- Continuous integration and versioning are essential for sustainable detection engineering processes.
- Automated tests validate the syntax, logic, and effectiveness of detection rules throughout the CI/CD pipeline.
- Automated generation of documentation ensures that users are informed of detection rule compatibility and updates.
MITRE Techniques :
- Detection Rule Creation (T1593)
- Alerting and Detection Strategy Framework (T1590)
- Continuous Testing (T1595)
- Version Control in CI/CD (T1592)
Indicator of Compromise :
- URL http://malicious.com/path
- Domain malicious.com
- IP Address 192.168.1.1
- Email Address attacker@example.com
- SHA-256: 8E3BCEB396190D0DDAB5D28CBB5CC4071D364309D08D8D1B724672672E98DAAB
Full Story: https://blog.sekoia.io/detection-engineering-at-scale-one-step-closer-part-two/