Network Detection and Response Blueprint

SIEM & Detection Engineering Framework — Enterprise Threat Detection Toolkit

After building detection engineering pipelines for regulated environments where a missed alert could mean exfiltrated CUI or compromised ePHI, I created this framework because most SOC teams have 500+ default vendor rules firing and zero custom detections for the threats that actually matter to their organization.

The core problem: MITRE ATT&CK has 201 techniques and 680 sub-techniques. Your SIEM vendor ships generic rules that detect 30% of them with a 40% false positive rate. Meanwhile, threat actors targeting your sector use maybe 15-20 techniques consistently — and you probably don't have solid detections for half of them.

What You Get

• Detection-as-Code Pipeline — Git-based detection management workflow using Sigma rules as the canonical format. Includes CI/CD templates (GitHub Actions, GitLab CI) for automated rule validation, unit testing against log samples, and deployment to Splunk (SPL), Microsoft Sentinel (KQL), and Elastic (ES|QL).
• 75 Custom Detection Rules — High-fidelity detections covering: credential access (Kerberoasting, AS-REP roasting, DCSync), lateral movement (PsExec, WMI, DCOM, RDP hijacking), persistence (scheduled tasks, registry run keys, WMI subscriptions), and cloud-specific techniques (STS token abuse, service principal creation, storage account key extraction).
• Log Source Onboarding Playbooks — Step-by-step for 20 critical log sources: Active Directory, DNS, DHCP, VPN, EDR telemetry, cloud audit logs (CloudTrail, Azure Activity, GCP Audit), email gateway, proxy/firewall, and Kubernetes audit logs. Includes parsing configurations and field normalization to OCSF.
• Alert Triage Runbooks — For each detection rule: what the alert means, investigation steps, true positive indicators, false positive conditions, and response actions. Reduces mean-time-to-triage from 15 minutes to under 3.
• Detection Coverage Matrix — Heatmap of your ATT&CK coverage showing which techniques have detections, which have log visibility but no rules, and which have no data source at all. Prioritization framework based on threat intelligence for your sector.

Brownfield Implementation

Week 1-2: Audit existing log sources and SIEM rules — identify coverage gaps against ATT&CK. Week 3-4: Onboard missing critical log sources starting with identity (AD/Entra) and endpoint (EDR). Week 5-8: Deploy detection rules in phases — identity attacks first, then lateral movement, then persistence. Week 9-10: Implement detection-as-code pipeline for ongoing development and maintenance.

Scope Limitations

Covers detection engineering for Windows Active Directory, major cloud providers, and common enterprise applications. Does not cover OT/ICS-specific detections (Modbus, DNP3), mainframe security monitoring, or mobile device threat detection. Assumes you have a functioning SIEM with at least 30 days of log retention.

Audit Evidence

Satisfies NIST SP 800-53 SI-4 (Information System Monitoring), AU-6 (Audit Record Review), and IR-4 (Incident Handling). Produces: detection coverage assessment reports, rule tuning documentation, false positive reduction metrics, mean-time-to-detect trending, and continuous monitoring evidence that auditors request for SOC 2 CC7.2 and HIPAA §164.312(b) audit log review requirements.

Written by Kenny Ogunlowo — Detection Engineer, U.S. Secret Clearance holder. Built detection engineering pipelines at Lockheed Martin and Cigna Healthcare for classified and regulated environments.