Detection-as-Code Reading List
CI/CD Detection Engineering Splunk Security Content Part 1 by STRT
The article details the Splunk Threat Research team's advancements in security detection and offers a guide on using Splunk Security-Content, Attack Range, and CircleCI for detection development, testing, and deployment in security operations.
CI/CD Detection Engineering Splunk's Attack Range Part 2 by STRT
The second article in the series focuses on the testing phase of the CI/CD detection development, introducing the Splunk Attack Range inspired by Detection Labs for simulating and testing detections, and explains its construction using Terraform and Ansible, with mentions of attack simulation tools; it concludes with cost implications on AWS and teases the next part on CI/CD pipeline automation.
CI/CD Detection Engineering Failing Part 3 by STRT
The article candidly addresses challenges in integrating Splunk Security Content with the Attack Range for automated CI/CD testing using CircleCI, discussing issues like queued CI jobs and AWS resource limits; the author teases an improved approach in the next installment using the Splunk Attack Data Repository.
CI/CD Detection Engineering Dockerizing for Scale Part 4 by STRT
The fourth installment discusses the STRT's transition from CircleCI to GitHub Actions for CI/CD testing, emphasizing the benefits of Splunk's Docker Container and introducing the docker-detection-tester.py tool; the switch to Docker containers enhanced test portability and efficiency, concluding with a comparison of system iterations.
Can We Have "Detection as Code" by Anton Chuvakin
Anton Chuvakin's article explores "detection as code," a modern, systematic approach to threat detection inspired by software development, contrasting it with traditional methods and emphasizing its benefits like content versioning and modularity; he underscores the importance of both tools and content and concludes that detection combines engineering and creativity.
Detection-as-Code -- Testing by Kyle Bailey
Kyle Bailey's article promotes the "detection-as-code" approach in detection development, likening detection logic to code with principles like version control and CI/CD pipelines. He delves into testing techniques, highlights the importance of precise attack tests using tools like the Atomic Red Team Framework, and concludes by discussing challenges in achieving thorough test coverage and the ongoing efforts towards automated testing.
Practical Detection-as-Code by Brendan Chamberlain
Brendan Chamberlain's article guides readers on creating a Detection-as-Code pipeline using Sigma rules, GitLab CI/CD, and Splunk, detailing Sigma's role in standardization, GitLab's automation, and the workflow from creation to deployment, concluding with enhancement suggestions.
Automating Detection-as-Code by John Tuckner
The article "Automating Detection-as-Code | Tines" discusses the integration of software development principles into cybersecurity, introducing "Detection-as-code" as a method to manage detection rules for SIEM or XDR in a structured manner, leveraging tools like Git and CI/CD pipelines for reliable deployments, and emphasizing the importance of community contributions on platforms like GitHub.
Quantifying Detection Coverage with Validation by Gary Katz
Gary Katz's article explores the importance of validating detection coverage, introducing concepts like "detection space" and "durability of detection," while emphasizing choke points and discussing validation challenges and metrics.
From soup to nuts: Building a Detection-as-Code pipeline Part 1 by David French
David French discusses building a Detection-as-Code (DAC) pipeline, drawing inspiration from John Tuckner, and outlines the process using tools like Terraform and Sumo Logic, emphasizing collaboration and automation, with a teaser for a follow-up on CI/CD workflows.
From soup to nuts: Building a Detection-as-Code pipeline Part 2 by David French
In the sequel, David French delves into the practicalities of a Detection-as-Code (DAC) pipeline, emphasizing CI/CD workflows with GitHub Actions, the role of Tines in automation, and the importance of rigorous testing, culminating with a demonstration of detecting anomalous Okta activities.