Detection EngineeringModule 1: FoundationsLesson 1.2
15 min

The Detection Lifecycle

From threat intelligence to production rules: understand the end-to-end process of creating detections.

The Detection Lifecycle

Every detection rule goes through a lifecycle from initial concept to eventual retirement. Understanding this lifecycle is crucial for building an effective detection program.

Phase 1: Threat Intelligence

Before writing any detection, you need to understand what you're detecting. This comes from:

  • Threat Reports: APT reports, malware analysis, incident writeups
  • ATT&CK Framework: Understanding adversary tactics and techniques
  • Internal Incidents: Learning from attacks on your own organization
  • Industry Sharing: ISACs, threat feeds, peer sharing

    Key Question: What specific behavior are we trying to detect?

    Phase 2: Detection Design

    With a clear understanding of the threat, design your detection:

  • Define the Behavior: What specific actions indicate this threat?
  • Identify Data Sources: What logs contain the evidence?
  • Consider Evasion: How might attackers avoid detection?
  • Plan for False Positives: What legitimate activity looks similar?

    Key Question: What's the minimum set of conditions that reliably identifies this threat?

    Phase 3: Development

    Write the actual detection rule:

  • Choose the right format (SIGMA, native SIEM query, etc.)
  • Implement the detection logic
  • Write clear documentation
  • Create test cases

    Key Question: Does this rule accurately capture the threat behavior?

    Phase 4: Testing

    Before production, validate your detection:

  • Unit Testing: Does the logic work correctly?
  • Lab Testing: Does it fire on simulated attacks?
  • Baseline Testing: What's the expected alert volume?

    Key Question: Will this detection work reliably in production?

    Phase 5: Deployment

    Push to production with care:

  • Stage in a test environment first
  • Monitor initial alert volume
  • Have a rollback plan
  • Communicate with the SOC

    Key Question: Is the SOC ready to handle alerts from this detection?

    Phase 6: Monitoring & Tuning

    Once live, continuously improve:

  • Track true/false positive rates
  • Gather analyst feedback
  • Refine detection logic
  • Update documentation

    Key Question: Is this detection providing value or creating noise?

    Phase 7: Retirement

    Eventually, detections become obsolete:

  • Threat no longer relevant
  • Better detection available
  • Data source deprecated

    Don't let stale rules clutter your environment.

    • Key Takeaways

    • Every detection goes through a defined lifecycle
    • Threat intelligence drives detection design
    • Testing before deployment prevents alert floods
    • Continuous tuning is essential for long-term value