CanomaDocs
Open Search
Browse docs sections

Detection Engineering

Turn threat intelligence and incident findings into detection hypotheses and actionable rules.

This workflow helps detection engineers move from reports and CVEs to concrete hunt logic and detection improvements.

Detection Workflow

Hypothesis Building

  1. Identify likely attacker objective and execution path.
  2. Map expected TTPs and observable artifacts.
  3. Define minimum telemetry required to validate behavior.

Rule and Hunt Development

  1. Build one high-signal hunt query first.
  2. Add a narrower high-confidence detection rule.
  3. Add a lower-confidence analytic with suppression controls.

Prompt Pattern

bash
Given [CVE/actor/campaign], generate:
  1. likely execution and persistence behaviors,
  2. telemetry fields to query,
  3. one high-confidence detection idea,
  4. one hunt query for validation.

Quality Controls

  • Rules include expected false-positive conditions.
  • Hunt outputs are tied to specific response actions.
  • Detections map back to known TTP coverage gaps.

Built with markdoc.dev.