Detection Framework
Status: Scaffold — content in progress
This page defines the detection engineering standards used across all detection pages in this handbook.
Detection Readiness Levels (DRL)
The DRL model (from the CTI Analyst Field Manual) defines the maturity of a detection:
| DRL | Level | Description |
|---|---|---|
| 0 | No telemetry | Attack is not detectable with current logging |
| 1 | Log source identified | Know which log source would catch it; not yet enabled |
| 2 | Log source enabled | Log source active but no detection logic written |
| 3 | Rule drafted | Initial detection logic written, not tested |
| 4 | Rule tested in lab | Rule fires on synthetic or lab data |
| 5 | Rule tested against real data | Validated against production-representative data |
| 6 | False positives documented | FP baseline established |
| 7 | Tuned | FPs reduced, alert quality acceptable |
| 8 | In SOC queue | Active detection, analyst acknowledges |
| 9 | Production | Tested, tuned, SOC SLA, response playbook |
Only DRL-9 is production coverage. DRL 4–7 is the typical range for content in this handbook.
Detection Page Structure
Every detection page includes:
- Paired Attack: link to the attack page
- DRL Level: current detection maturity
- Required Telemetry: log sources and specific Event IDs / API log fields
- Sigma Rule: vendor-neutral detection logic
- KQL: Microsoft Sentinel or MDE query
- SPL: Splunk query
- False Positive Handling: known benign causes and tuning guidance
- Response Actions: initial actions on alert
Telemetry Priority Stack
For AD environments:
1. Windows Security Event Log (primary — 4624, 4625, 4768, 4769, 4776, 4662, 5136)
2. Sysmon (process, network, registry — augments Security log)
3. Microsoft Defender for Identity (MDI) — behavioral detections
4. Network (DNS, SMB, LDAP at wire level)
For cloud environments:
1. Entra ID Sign-in logs (authentication events, CA outcomes, MFA)
2. Entra ID Audit logs (config changes, role assignments)
3. Microsoft 365 Unified Audit Log (OAuth, mailbox, admin activity)
4. Microsoft Defender XDR (endpoint + identity correlation)
Rule Quality Standards
- Every Sigma rule must have a
level(critical/high/medium/low) andstatus(stable/test/experimental) - Every rule must have at least one false positive listed
- KQL rules must include a time window and aggregation where appropriate
- Rules marked DRL-9 must have a corresponding response playbook reference
Cross-Links
| Topic | Link |
|---|---|
| AD Attack Detection | detect-kerberoasting |
| Cloud Attack Detection | detect-device-code-phishing |