What this book covers
Chapter 1, Detection as Code Architecture and Lifecycle, provides a review of the detection life cycle concepts and planning for what practical aspects of the detection engineering program can be automated. The concept and requirements of DAC in practice are also covered.
Chapter 2, Scoping and Automating Threat-Informed Defense Inputs, provides the concepts necessary to narrow down and prioritize threat indicators as a means of focusing a detection engineering team’s resources. The chapter will use technical labs to parse and ingest common indicators of compromise (IOC) for common security tools.
Chapter 3, Developing Core CI/CD Pipeline Functions, provides a brief introduction to DevOps workflow patterns using the common “Git”-style tools. The chapter includes multiple labs to deploy use cases in an automated and controlled manner, using pipelines and repositories.
Chapter 4, Leveraging AI for Use Case Development, provides examples and ideas on how to leverage large language models (LLMs) to augment use case development, including tuning and prompt engineering practices. The chapter provides hands-on labs that include utilizing AI for multiple use case development areas.
Chapter 5, Implementing Logical Unit Tests, provides an overview of code linting and use case validation within a CI/CD pipeline. The chapter includes multiple hands-on labs of validation, including use case metadata, taxonomy, and logic testing with data.
Chapter 6, Creating Integration Tests, provides an extended understanding of validation testing using a “live fire” infrastructure that is set up in technical labs. The chapter also covers the concepts of CI/CD pipeline branching strategies and custom payload-based tests.
Chapter 7, Leveraging AI for Testing, complements the concepts of validation testing, using LLMs in the CI/CD pipeline to conduct synthesized testing when typical unit or integration testing is not practical. The chapter further covers ways to evaluate ROI and whether AI-based validation is suitable for an organization’s needs.
Chapter 8, Monitoring Detection Health, provides concepts and examples of what metrics are required to stay aware of detection performance and impact on SIEMs. The chapter also includes hands-on labs to explore useful metrics in dashboards and an example of auto-tuning with SOAR.
Chapter 9, Measuring Program Efficiency, provides examples of useful tactical and strategic program-level KPIs and how to locate data to populate the metrics. The chapter covers multiple examples from SIEMs and workflow management solutions to represent metrics in a meaningful way.
Chapter 10, Operating Patterns by Maturity, provides maturity pattern concepts that can be used as a baseline to “phase in,” depending on an organization’s readiness. The chapter covers foundational, intermediate, and advanced phases, including technical requirements, approaches, and cost estimations.
