Understanding data sources and telemetry
Covering all potential data sources in a corporate environment or even going into depth on each of the major ones is not feasible given the number of data sources present in an organization’s infrastructure. As such, this section will highlight the major data sources and provide a brief explanation of their relevance to detection engineering.
We are going to look at two different types of sources of data for detection engineering. The first is going to be raw telemetry. These are unprocessed logs that simply state an event occurred, without a determination on whether it is malicious or not. This is going to be our focus with detection engineering as we can use these raw events to identify malicious activity without relying on an existing security solution’s detection capabilities. The second type of data source that we’ll briefly discuss is security tooling. Data from security tooling primarily focuses on processed events...