Detection Engineering

Detection Engineering — In Development

Detection Engineering is an active area of development within this Cyber Threat Intelligence Lab. I am currently studying Practical Detection Engineering and building the foundation for future detection artifacts that connect threat investigations, ATT&CK mapping, telemetry analysis, and defensible detection logic.

In Development Study in Progress

Current Status

Current status

  • Studying Practical Detection Engineering.
  • Building foundational knowledge in threat-informed detection development.
  • Learning how to translate attacker behavior and investigation findings into detection logic.
  • Preparing to publish only artifacts that can be explained, tested, and defended.

Future Portfolio

What this section will include

As the capability matures, this section will grow into a portfolio of defensible detection artifacts. Planned content types:

Sigma Rules Planned

Portable detection signatures mapped to adversary techniques.

KQL Detections Planned

Detection and hunting queries for endpoint and network telemetry.

YARA Rules Planned

Pattern-based detection for files and malware artifacts.

Detection Validation Reports Planned

Evidence that a detection fires on true positives and survives testing.

Threat-Informed Detection Case Studies Planned

Detections derived from documented investigation findings.

ATT&CK-Mapped Detection Logic Planned

Coverage tied explicitly to MITRE ATT&CK techniques.

False Positive Analysis Planned

Documented tuning, noise considerations, and limitations for each rule.

Detection Coverage Notes Planned

Where coverage exists, where gaps remain, and why.

Method

Future detection workflow

This is the workflow I intend to follow for published detections — the intended future process, not a claim that completed detections already exist.

  1. Investigation or threat scenario
  2. ATT&CK mapping
  3. Telemetry requirement
  4. Detection logic
  5. Rule implementation
  6. Validation
  7. False-positive review
  8. Documentation
  9. Publication

Investigations → Detections

Relationship to investigations

As this lab develops, selected investigations may later produce corresponding detection artifacts. Those detections will only be published when the logic, assumptions, telemetry requirements, validation steps, and limitations can be clearly documented.

No production-ready detections are published yet. This page exists to document the direction of the work honestly — Detection Engineering is a capability in progress, not a completed portfolio.