Automation

Fig. 54 Example integration of telemetry with operations

Detection engineering processes and features generate a lot of telemetry and metrics and include many feedback loops. These can be integrated into daily workflows and processes by leveraging automation, which enables users to make informed decisions, but it also eliminates the need for many manual tasks as well. In certain circumstances, it may be possible to fully automate an entire process E2E.

Let’s explore through a specific example. Say you are receiving telemetry on rule performance and rule alerts. You could define thresholds and rules on the incoming telemetry itself in order to identify potential concerns, such as a volume, false positives, or performance issues. These can then be further analyzed automatically, such as in the case of false positives, where field analysis can be performed on all marked false positives alerts. This can be used to open up an issue with the specific information needed to tune the rule.

Another example could be to assess adoption or metrics around enabling certain features or rules. Likewise, understanding volumes of data sources and related trends can also provide insights into correlated tendencies. This can be integrated into the rule development process within the DCDL as a consideration for how to scope and prioritize.