Explore a comprehensive approach to creating efficient, accurate, and resilient detection rules in this 23-minute conference talk from NorthSec. Follow a step-by-step guide through the "Full Circle Detection" process, from generating hunting ideas to developing actionable alerts for security analysts. Learn how to transform a simple blog article about an Outlook persistence technique into a complete security team workflow. Discover techniques for converting hunt queries into SIEM detections, validating rules with Atomic Red Team tests, sharing detections through Sigma rules, maintaining detection pipelines, creating incident response playbooks, and developing effective training materials. Gain insights from Mathieu Saulnier, a Core Mentor for Defcon's Blue Team Village and experienced security professional, as he demonstrates how to implement a holistic approach to threat detection and response.
Full Circle Detection - From Hunting to Actionable Detection
Overview
Syllabus
Intro
Idea
Example
Atomic Red Team
Convert Hunting to Detection
Sharing your Detection
Running your Pipeline
Incident Response Playbook
Training
Automating
Conclusion
Taught by
NorthSec
Related Courses
-
Cloud-native security operations with Microsoft Sentinel
-
SC-200: Create detections and perform investigations using Microsoft Sentinel
-
Detect, Respond, and Recover from Cloud Cybersecurity Attacks
-
The SOC Counter ATT&CK
-
Signatures Are Dead - Long Live Resilient Signatures
-
Fantastic Red-Team Attacks and How to Find Them
