Detection Engineering

advanced45 minWriteup

Building effective detection rules

Learning Objectives

  • Write effective detection rules
  • Use Sigma for portable rules
  • Reduce false positives
  • Test detection coverage

Detection Engineering is the discipline of creating, testing, and maintaining detection rules that identify threats. It's not enough to have a SIEM - you need rules that actually catch attacks while minimizing false positives. Good detection engineering is both art and science.

Think of detection engineering like setting up a home security system. You don't just install sensors everywhere - you strategically place them where intruders are likely to pass, tune sensitivity so your cat doesn't trigger alarms, and test that they actually work before you need them.

The Detection Gap

Most organizations have detection gaps - attack techniques with no rules to catch them. Detection engineering systematically closes these gaps by mapping coverage to frameworks like MITRE ATT&CK.

Sigma - Universal Detection Language

yaml
1606070;"># Sigma - Generic Detection Rule Format
2606070;"># Converts to Splunk SPL, Elastic KQL, QRadar, etc.
3 
4title: Encoded PowerShell Command Line
5id: 5c6c5e42-7e4d-4c84-8b6a-4a8b8c8d8e8f
6status: production
7description: Detects encoded PowerShell commands which are often used by malware
8author: Your Name
9date: 2024/07/15
10modified: 2024/07/15
11 
12logsource:
13    category: process_creation
14    product: windows
15 
16detection:
17    selection:
18        CommandLine|contains:
19            - 606070;">#a5d6ff;">'-EncodedCommand'
20            - 606070;">#a5d6ff;">'-enc'
21            - 606070;">#a5d6ff;">'-ec'
22        Image|endswith: 606070;">#a5d6ff;">'\powershell.exe'
23    condition: selection
24 
25falsepositives:
26    - Legitimate administrative scripts
27    - Software installers
28 
29level: medium
30 
31tags:
32    - attack.execution
33    - attack.t1059.001
bash
1606070;"># Converting Sigma rules to SIEM queries
2 
3606070;"># Install sigma-cli
4pip install sigma-cli
5 
6606070;"># Convert to Splunk
7sigma convert -t splunk rule.yml
8606070;"># Output: CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*"
9 
10606070;"># Convert to Elastic
11sigma convert -t elasticsearch rule.yml
12606070;"># Output: process.command_line:*-EncodedCommand*
13 
14606070;"># Convert to QRadar
15sigma convert -t qradar rule.yml
16 
17606070;"># Batch convert entire directory
18sigma convert -t splunk -r ./rules/ > splunk_rules.txt
19 
20606070;"># sigmac (legacy - still widely used)
21sigmac -t splunk -c splunk-windows rule.yml

SigmaHQ Repository

The SigmaHQ repository (github.com/SigmaHQ/sigma) contains thousands of community-contributed detection rules. Start here before writing your own - someone may have already solved your problem!

Detection Rule Design

1Detection Rule Design Principles:
2 
31. START WITH THE ATTACK
4─────────────────────────────────────────────────────────────────
5What technique are you detecting?
6├── Map to MITRE ATT&CK
7├── Understand how attack works
8├── Know what artifacts it leaves
9└── Consider variations attackers might use
10 
112. CHOOSE YOUR DATA SOURCE
12─────────────────────────────────────────────────────────────────
13What logs capture this activity?
14├── Process creation (Sysmon 1, Event 4688)
15├── Network connections (Sysmon 3, Firewall)
16├── File operations (Sysmon 11)
17├── Registry changes (Sysmon 12-14)
18└── Authentication (Event 4624/4625)
19 
203. DEFINE DETECTION LOGIC
21─────────────────────────────────────────────────────────────────
22What pattern indicates malicious activity?
23├── Specific strings or commands
24├── Unusual combinations (Word spawning cmd.exe)
25├── Threshold violations (10 failed logins)
26├── Anomalies (first time behavior)
27└── Sequences (A → B → C)
28 
294. CONSIDER FALSE POSITIVES
30─────────────────────────────────────────────────────────────────
31What legitimate activity looks similar?
32├── Admin tools and scripts
33├── Software installations
34├── Business applications
35├── Security tools themselves
36└── Document exceptions clearly
37 
385. DETERMINE SEVERITY
39─────────────────────────────────────────────────────────────────
40How urgent is response needed?
41├── Critical: Immediate action required
42├── High: Investigate within hours
43├── Medium: Investigate within day
44├── Low: Review when time permits
45└── Informational: Context only

Writing Effective Rules

yaml
1606070;"># Rule Quality Checklist
2 
3606070;"># GOOD RULE EXAMPLE
4title: Suspicious Process Spawned from Word
5id: good-rule-example-001
6status: test
7description: |
8    Detects when Microsoft Word spawns a suspicious child process like
9    cmd.exe or powershell.exe, which often indicates malicious macro execution.
10references:
11    - https:606070;">//attack.mitre.org/techniques/T1204/002/
12author: Detection Team
13date: 2024/07/15
14 
15logsource:
16    category: process_creation
17    product: windows
18 
19detection:
20    selection_parent:
21        ParentImage|endswith:
22            - 606070;">#a5d6ff;">'\winword.exe'
23            - 606070;">#a5d6ff;">'\excel.exe'
24            - 606070;">#a5d6ff;">'\powerpnt.exe'
25    selection_child:
26        Image|endswith:
27            - 606070;">#a5d6ff;">'\cmd.exe'
28            - 606070;">#a5d6ff;">'\powershell.exe'
29            - 606070;">#a5d6ff;">'\wscript.exe'
30            - 606070;">#a5d6ff;">'\cscript.exe'
31            - 606070;">#a5d6ff;">'\mshta.exe'
32    condition: selection_parent and selection_child
33 
34falsepositives:
35    - Legitimate macros that spawn processes
36    - Add-ins that use scripting
37 
38level: high
39 
40tags:
41    - attack.execution
42    - attack.t1204.002
43    - attack.t1059
1Common Rule Anti-Patterns (Avoid These!):
2 
3❌ TOO BROAD
4─────────────────────────────────────────────────────────────────
5606070;"># Detects PowerShell execution
6Image|endswith: 606070;">#a5d6ff;">'\powershell.exe'
7606070;"># Problem: Fires constantly, too many FPs
8 
9❌ TOO NARROW
10─────────────────────────────────────────────────────────────────
11606070;"># Detects exact malware hash
12FileHash: d41d8cd98f00b204e9800998ecf8427e
13606070;"># Problem: Trivially evaded by recompiling
14 
15❌ NO CONTEXT
16─────────────────────────────────────────────────────────────────
17606070;"># Alert
18CommandLine|contains: 606070;">#a5d6ff;">'password'
19606070;"># Problem: No indication why this is suspicious
20 
21❌ RESOURCE INTENSIVE
22─────────────────────────────────────────────────────────────────
23606070;"># Check all events against list of 50,000 IOCs
24606070;"># Problem: Crushes SIEM performance
25 
26✓ BALANCED APPROACH
27─────────────────────────────────────────────────────────────────
28606070;"># Combine multiple indicators for precision
29ParentImage: outlook.exe AND
30CommandLine|contains: 606070;">#a5d6ff;">'http' AND
31Image|endswith: 606070;">#a5d6ff;">'powershell.exe'

Testing Detection Rules

bash
1606070;"># Testing Detection Rules
2 
3606070;"># 1. ATOMIC RED TEAM
4606070;"># Execute specific attack techniques to trigger detections
5606070;"># https://github.com/redcanaryco/atomic-red-team
6 
7606070;"># Install
8git clone https:606070;">//github.com/redcanaryco/atomic-red-team.git
9Import-Module ./atomic-red-team/invoke-atomicredteam/Invoke-AtomicRedTeam.psm1
10 
11606070;"># List tests for a technique
12Invoke-AtomicTest T1059.001 -ShowDetails
13 
14606070;"># Run test
15Invoke-AtomicTest T1059.001 -TestNumbers 1
16 
17606070;"># Run test and check if detected
18606070;"># → Check SIEM for corresponding alert
19 
20606070;"># 2. CALDERA
21606070;"># Automated adversary emulation
22606070;"># https://github.com/mitre/caldera
23 
24606070;"># 3. DETECTION LAB
25606070;"># Pre-built lab for testing detections
26606070;"># https://detectionlab.network/
27 
28606070;"># 4. MANUAL TESTING
29606070;"># Execute technique manually, verify detection fires
30 
31606070;"># Example: Test encoded PowerShell detection
32powershell -EncodedCommand JABzAD0AIgBIAGUAbABsAG8AIgA=
33606070;"># Should trigger: "Encoded PowerShell Command Line" rule
34 
35606070;"># 5. UNIT TESTING SIGMA
36606070;"># pySigma can validate rules
37sigma check rule.yml

Test in Lab, Not Production

Always test attack simulations in isolated lab environments. Running Atomic Red Team in production can trigger EDR responses and create confusion. Use dedicated testing infrastructure.

Detection Coverage

1Measuring Detection Coverage:
2 
3MITRE ATT&CK COVERAGE MATRIX
4─────────────────────────────────────────────────────────────────
5Use ATT&CK Navigator to visualize:
6├── Green: Technique detected with high confidence
7├── Yellow: Partial detection or high FP rate
8├── Red: No detection capability
9└── Update as you add/improve rules
10 
11COVERAGE ASSESSMENT PROCESS
12─────────────────────────────────────────────────────────────────
131. List all detection rules
142. Map each rule to ATT&CK techniques
153. Identify gaps (undetected techniques)
164. Prioritize based on threat relevance
175. Develop rules for highest-priority gaps
186. Test and validate new rules
197. Repeat continuously
20 
21PRIORITIZING COVERAGE
22─────────────────────────────────────────────────────────────────
23Consider:
24├── What threat actors target your industry?
25├── What techniques are most common in incidents?
26├── What techniques have highest impact?
27├── What data sources do you have?
28└── What's feasible to detect vs. prevent?
29 
30High Priority Techniques:
31├── T1059 - Command and Scripting Interpreter
32├── T1053 - Scheduled Task/Job
33├── T1078 - Valid Accounts
34├── T1003 - OS Credential Dumping
35├── T1021 - Remote Services
36└── T1105 - Ingress Tool Transfer
37 
38METRICS TO TRACK
39─────────────────────────────────────────────────────────────────
40├── % of ATT&CK techniques covered
41├── Detection rules per technique
42├── Mean time to detection (MTTD)
43├── False positive rate per rule
44├── Rules without any alerts (dead rules)
45└── Time from technique disclosure to detection

Rule Tuning

1Detection Rule Tuning:
2 
3THE TUNING CYCLE
4─────────────────────────────────────────────────────────────────
5Deploy Rule → Monitor Alerts → Analyze FPs → Tune → Repeat
6 
7TUNING STRATEGIES
8─────────────────────────────────────────────────────────────────
91. ADD EXCLUSIONS
10   Original: Image contains 606070;">#a5d6ff;">'certutil'
11   Tuned: ... AND NOT User = 606070;">#a5d6ff;">'SVC_SCCM'
12 
132. NARROW CONDITIONS
14   Original: PowerShell execution
15   Tuned: PowerShell from non-standard parent
16 
173. ADD THRESHOLD
18   Original: Failed login detected
19   Tuned: Failed logins > 10 in 5 minutes
20 
214. REQUIRE ADDITIONAL INDICATORS
22   Original: CMD spawned from Office
23   Tuned: ... AND CommandLine contains 606070;">#a5d6ff;">'http'
24 
255. ADJUST SEVERITY
26   Too many alerts? Lower severity
27   Not enough visibility? Make informational
28 
29DOCUMENTING EXCEPTIONS
30─────────────────────────────────────────────────────────────────
31Always document WHY you tuned:
32├── What legitimate activity caused FP?
33├── Who approved the exception?
34├── When was exception added?
35├── Should exception be reviewed later?
36└── Is there a detection gap now?
37 
38Example Exception Record:
39Rule: Encoded PowerShell Detection
40Exception: Exclude process signed by 606070;">#a5d6ff;">"SCCM"
41Reason: SCCM client uses encoded PS for patches
42Approved by: Security Lead, 2024-07-15
43Review: Quarterly

Detection Lifecycle

1Detection Engineering Lifecycle:
2 
3PHASE 1: RESEARCH
4─────────────────────────────────────────────────────────────────
5├── Identify technique to detect
6├── Study attack mechanics
7├── Review existing detections (SigmaHQ)
8├── Determine data requirements
9└── Assess feasibility
10 
11PHASE 2: DEVELOPMENT
12─────────────────────────────────────────────────────────────────
13├── Write Sigma rule
14├── Document logic and rationale
15├── Map to ATT&CK
16├── Define severity and response
17└── Peer review
18 
19PHASE 3: TESTING
20─────────────────────────────────────────────────────────────────
21├── Test in lab environment
22├── Use Atomic Red Team or similar
23├── Verify detection triggers
24├── Check for obvious FPs
25└── Test edge cases
26 
27PHASE 4: DEPLOYMENT
28─────────────────────────────────────────────────────────────────
29├── Convert to SIEM format
30├── Deploy to staging first
31├── Monitor for unexpected volume
32├── Gradual production rollout
33└── Alert SOC team
34 
35PHASE 5: OPERATIONS
36─────────────────────────────────────────────────────────────────
37├── Monitor alert volume
38├── Analyze false positives
39├── Tune as needed
40├── Track detection rate
41└── Gather SOC feedback
42 
43PHASE 6: RETIREMENT
44─────────────────────────────────────────────────────────────────
45├── Rule no longer relevant?
46├── Covered by another rule?
47├── Permanently disabled?
48├── Document reason for retirement
49└── Archive for future reference

Detection Engineering Methodology

Creating a Detection Rule

1
ResearchStudy the attack technique and its artifacts
2
Identify DataDetermine which logs capture the activity
3
Write RuleCreate Sigma rule with clear logic
4
TestValidate using attack simulation tools
5
DeployConvert and deploy to production SIEM
6
MonitorTrack alerts and false positive rate
7
TuneRefine based on real-world feedback

Knowledge Check

Quick Quiz
Question 1 of 3

What is Sigma?

Challenges

Write a Sigma Rule

Challenge
💀 advanced

Write a Sigma rule to detect when cmd.exe or powershell.exe is spawned by a Microsoft Office application (Word, Excel, PowerPoint). This indicates potential malicious macro execution.

Need a hint? (4 available)

Key Takeaways

  • Sigma is the universal language for detection rules
  • Good rules balance precision (catch attacks) with low false positives
  • Test rules with Atomic Red Team before deploying to production
  • Map coverage to MITRE ATT&CK to identify gaps
  • Tuning is continuous - monitor and refine based on real alerts
  • Document exceptions and reasons for tuning decisions