Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Automating Security Detection Engineering

You're reading from   Automating Security Detection Engineering A hands-on guide to implementing Detection as Code

Arrow left icon
Product type Paperback
Published in Jun 2024
Publisher Packt
ISBN-13 9781837636419
Length 252 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Dennis Chow Dennis Chow
Author Profile Icon Dennis Chow
Dennis Chow
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Part 1: Automating Detection Inputs and Deployments FREE CHAPTER
2. Chapter 1: Detection as Code Architecture and Lifecycle 3. Chapter 2: Scoping and Automating Threat-Informed Defense Inputs 4. Chapter 3: Developing Core CI/CD Pipeline Functions 5. Chapter 4: Leveraging AI for Use Case Development 6. Part 2: Automating Validations within CI/CD Pipelines
7. Chapter 5: Implementing Logical Unit Tests 8. Chapter 6: Creating Integration Tests 9. Chapter 7: Leveraging AI for Testing 10. Part 3: Monitoring Program Effectiveness
11. Chapter 8: Monitoring Detection Health 12. Chapter 9: Measuring Program Efficiency 13. Chapter 10: Operating Patterns by Maturity 14. Index 15. Other Books You May Enjoy

Performing metadata and taxonomy checks

Now that we have a general sense of what good unit-level tests are, we can add another layer of logic. As we measure any detection engineering program, tracking what is deployed in production based on which framework we’re aligned to helps with determining our coverage. For example, in the MITRE ATT&CK framework, tracking is based on categories of TTP identifiers. Every team is different so you may have additional frameworks. Ideally, your use cases should have these in tags or descriptions, which can be easily parsed for reporting.

In addition to the taxonomy presence checks, we can also use dynamic checks for applicability for our use case. For example, if we reference a particular TTP identifier, a URL, or some other threat intelligence, we can match this against the payload dynamically by referencing what we have detailed in the meta with an external source. Keep in mind that this doesn’t prevent us from writing detections...

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image