JIRA workflow for Detection Engineering teams

Threat Detection Engineering practice seems to be evolving. Not only because of easier log management methods and platforms, but because attackers will easily adapt to OOB security, evading detection and achieving their goals.

Nevertheless access to all this data is only the start. The challenge for Blue Teamers keeps increasing as log availability and other challenges around data polishing such as filtering and normalization are still not solved (never will?).

Here I cover one very strategic aspect related to this practice: once you have gathered enough ideas to start developing custom content, how to manage it?

Detection as code

This post is continuation of an idea or an approach I've started leveraging a few years ago when I started working as freelancer focused on helping Security Teams build custom detection on Splunk.

The idea is basically to implement an Agile process around new content (Security Use Cases) creation — assuming custom rules and dashboards that aid triage, hunting and reporting cycles.

JIRA Workflows

The screenshots here are based on a quick lab I've built in JIRA Cloud and very similar to current workflows I've been using in a recent MSSP project.