Defense: Create Detection Content From CTI
Draft
Level: Complex Platform Workflows
Goal: Turn CTI findings into detection content candidates.
Real-Life Scenario
A CTI report describes new intrusion behavior, and detection engineers need to convert it into practical Sigma, SIEM, EDR, or hunting tasks.
When To Use This
Use this workflow when you need an end-to-end platform workflow across multiple AdversaryGraph modules and want the output to remain traceable to evidence.
Steps
- Analyze source report and accept validated TTPs.
- Extract IOCs and enrich high-value observables.
- Open TTP detail panels and detection references.
- Sync Sigma/YARA feeds and search for related rules.
- Map each TTP to telemetry requirements.
- Write candidate logic or Sigma/SIEM task notes.
- Mark expected false positives and tuning inputs.
- Create backlog items in Pipeline/Operations.
- Export report, layer, and IOC appendix.
- Validate detections with test data or replay where possible.
Expected Result
Detection content package traceable from CTI evidence to engineering tasks.
Review Notes
- Keep source labels and evidence attached to every accepted result.
- Treat actor matches, enrichment hits, and matrix overlap as analytical signals until corroborated.
- Export only reviewed findings for customer, SOC, detection engineering, or executive use.
Platform Areas Used
- Operations / Pipeline
- AI Analysis
- ATT&CK Group Library
- IOC Library
- VirusTotal / OTX / ThreatFox / Malpedia enrichment where configured
- Reference Sync
- Navigator matrix
- PDF, JSON, CSV, STIX, and Navigator exports as needed