Detection Engineering
The discipline of designing, building, and validating detection rules and systems to identify malicious activity in networks and systems.
Definition
Detection Engineering is the systematic process of creating detection rules that identify malicious or suspicious activity. Rather than manually responding to alerts, detection engineers write queries and rules that automatically flag threats.
Modern detection engineering is driven by MITRE ATT&CK, creating rules for specific tactics and techniques attackers use.
Key Principles
Prevention-First Mentality
- Assume attackers will get in
- Focus on detecting what they do after entry
- Design rules for T1021 (lateral movement), T1005 (data collection), etc.
Evidence-Based
- Build rules around observable indicators of compromise
- Rules must be testable against real security logs
- Validate rules against historical incidents
False Positive Management
- Rules that trigger too often are ignored
- Balance detection sensitivity with false positives
- Tune rules continuously
Methodology
- Map threats to ATT&CK techniques
- Identify how each technique manifests in logs
- Write rules targeting specific techniques
- Validate against historical data
- Deploy and monitor
Detection Rule Example
Technique: T1087 (Account Discovery)
Observable: Multiple failed account discovery commands from a single user
Rule: Alert when a single system sends >10 net user queries in 5 minutes
This detects the reconnaissance phase of attacks before lateral movement or data theft occurs.