Detection Engineering Extension - How it Works

the extension equips detection engineers with essential tools to effectively identify and refine detections, ensuring continuous improvement and optimal performance of a soc’s detection capabilities it also serves as a centralized system of record, maintaining an up to date overview of the organization's detection posture additionally, the solution enhances the feedback loop between analysts and detection engineering by streamlining the collection of detailed feedback directly into the detection library application detection engineering guided process workflow after you install the detection engineering extension from the application records , click next to the detection library a workflow to create a new record is displayed from the new record window, select the desired flow for the detection library the guided workflow is the recommended option the guided process widget provides a step by step process guidance on the recommended steps a detection engineer should begin to think about the entire process from determining a threat model define scope determine required log sources design detection test detection logic optimize detection logic stage detection craft detection runbook deploy to production fill all the fields and check the mark as complete checkbox to save the record the detection feedback tab tracks the history of how often this detection has been resurfaced and provides comments from soc analyst to detection engineers for future iterations and improvements in detections click a record to look at the feedback provided by the soc analyst you can also add additional notes as additional research click the support tab for additional guidance on the stage where the guided process was last reviewed detection library analyst feedback the detection library feedback applet is triggered when the status of is set as resolved a soc analyst will be able to select from one of the out the box detection closure codes by selecting the drop down toggling the request for review triggers an additional workflow if no detection is found, create a new detection library record if an existing detection is found, return the detection library record in this example, no detection is found and a new detection record is created upon submitting feedback click the closure code explanation table checkbox expands the text explaining the table of available closure codes the closure codes are provided as a best practice, and can be modified as necessary an empty feedback throws an error make sure the detection feedback text box is filled detection engineering dashboard the detection engineering dashboard provides useful metrics to the soc leadership you can navigate to the dashboard from the dashboards tab