Overview
Explore a comprehensive approach to creating efficient, accurate, and resilient detection rules in this 23-minute conference talk from NorthSec. Follow a step-by-step guide through the "Full Circle Detection" process, from generating hunting ideas to developing actionable alerts for security analysts. Learn how to transform a simple blog article about an Outlook persistence technique into a complete security team workflow. Discover techniques for converting hunt queries into SIEM detections, validating rules with Atomic Red Team tests, sharing detections through Sigma rules, maintaining detection pipelines, creating incident response playbooks, and developing effective training materials. Gain insights from Mathieu Saulnier, a Core Mentor for Defcon's Blue Team Village and experienced security professional, as he demonstrates how to implement a holistic approach to threat detection and response.
Syllabus
Intro
Idea
Example
Atomic Red Team
Convert Hunting to Detection
Sharing your Detection
Running your Pipeline
Incident Response Playbook
Training
Automating
Conclusion
Taught by
NorthSec