Summary
In this chapter, we learned how to identify the metrics and data sources required for monitoring the health and performance of detections running upstream or downstream to the SIEM. We also explored some of the metrics provided by at least one SIEM vendor to locate and prioritize detections to tune. After examining dashboards, we created a potential automation using a SOAR platform for automatically responding to a very noisy detection.
The upcoming chapter will move on to a program-level strategic view of measuring successful boundaries for a detection engineering program. We’ll explore how to leverage Agile and Scrum workflows to create and report on critical metrics.
