book

Automating Security Detection Engineering

Name: Automating Security Detection Engineering
Author: Dennis Chow
ISBN: 9781837636419

by Dennis Chow

June 2024

Intermediate to advanced

252 pages

6h 8m

English

Packt Publishing

Read now

Unlock full access

Automating Security Detection Engineering
ForewordContributorsAbout the authorAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesConventions usedGet in touchShare your thoughtsDownload a free PDF copy of this book
Part 1: Automating Detection Inputs and Deployments
Chapter 1: Detection as Code Architecture and Lifecycle
Establish requirementsDevelopmentTestingImplementationDeprecationConceptualizing detection as code requirementsVersion control systemsAPI supportUse case syntaxTesting instrumentationSecrets managementPlanning automation milestonesSummaryFurther reading
Chapter 2: Scoping and Automating Threat-Informed Defense Inputs
Technical requirementsScoping threat-based inputsParsing indicators and payloadsLab 2.1 – Custom STIX2 JSON parserLab 2.2 – Automatically block domains with intel feedLab 2.3 – Integrate malicious hashes into Wazuh EDRLab 2.4 – Deploy custom IOCs to CrowdStrikeLeveraging context enrichmentLab 2.5 – Analyze and develop custom detections in Google ChronicleSummaryFurther reading
Chapter 3: Developing Core CI/CD Pipeline Functions
Technical requirementsDeploying code repositoriesGitHub usage conceptsBranching strategyLab 3.1 – Create a new repositorySetting up CI/CD runnersLab 3.2 – Deploy a custom IOA to CrowdStrike FalconLab 3.3 – CI/CD with Terraform Cloud and Cloudflare WAFLab 3.4 – Policy as Code with Cloud Custodian in AWSLab 3.5 – Custom RASP rule in Trend Micro Cloud OneLab 3.6 – Custom detection for Datadog Cloud SIEM with GitHub ActionsMonitoring pipeline jobsSummary
Chapter 4: Leveraging AI for Use Case Development
Technical requirementsOptimizing generative AI usageLab 4.1 – Tuning an LLM-based chatbotExperimenting with multiple AI toolsLab 4.2 – Exploring SOC Prime Uncoder AIAutomating LLM interactionsLab 4.3 – Generating Splunk SPL content from newsSummary
Part 2: Automating Validations within CI/CD Pipelines
Chapter 5: Implementing Logical Unit Tests
Technical requirementsValidating syntax and lintingLab 5.1 – CrowdStrike syntax validationPerforming metadata and taxonomy checksLab 5.2 – Google Chronicle payload validationPerforming data input checksLab 5.3 – Palo Alto signature limitation testsLab 5.4 – Suricata simulation testingLab 5.5 – Git pre-commit hook protectionsSummaryFurther reading
Chapter 6: Creating Integration Tests
Technical requirementsMapping and Using Synthetic PayloadsLab 6.1 – Splunk SPL Detection TestingTesting In-Line PayloadsLab 6.2 – AWS CloudTrail Detection TestsExecuting Live-Fire Asynchronous TestsLab 6.3 – CrowdStrike Falcon Payload TestingLab 6.4 – Deploying Caldera BASSummaryFurther reading

Chapter 7: Leveraging AI for Testing
Technical requirementsSynthetic testing with LLMsLab 7.1 – Poe Bot synthetic CI/CD unit testingEvaluating data security and ROILab 7.2 – CodeRabbit augmented peer reviewImplementing multi-LLM model validationSummary
Part 3: Monitoring Program Effectiveness
Chapter 8: Monitoring Detection Health
Technical requirementsIdentifying telemetry sourcesMeasuring use case performanceUpstream detection performanceDownstream detection performanceLab 8.1 – Google Chronicle detection insightsExtending dashboard use casesLab 8.2 – Mock SOAR disable excessive firing ruleSummaryFurther reading
Chapter 9: Measuring Program Efficiency
Technical requirementsCreating program KPIsLocating data for metricsSignal to Noise RatioMITRE ATT&CK coverageNumber of active SIEM detections by criticalityCreating dashboard visualizationsLab 9.1 – Monitoring team workload in JiraSummary
Chapter 10: Operating Patterns by Maturity
Technical requirementsImplementing L1 – foundationsL1 workflow managementL1 version controlL1 CI/CD pipelineL1 development environmentImplementing L2 – intermediateL2 workflow managementL2 version controlL2 CI/CD pipelineL2 developmentImplementing L3 – advancedL3 workflow managementL3 version controlL3 CI/CD pipelineL3 developmentLab 10.1 – exploring Google ColabSummary
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare your thoughtsDownload a free PDF copy of this book

Overview

In 'Automating Security Detection Engineering,' you will learn how to automate the detection use case lifecycle to enhance organizational security. This hands-on guide will teach you to integrate industry tools, create efficient CI/CD pipelines, and leverage cutting-edge automation techniques to scale detection using DevSecOps principles.

What this Book will help me do

Automate threat detection pipelines using Python, Terraform, and other tools.
Build AI-enhanced CI/CD workflows for scaling detection engineering.
Optimize security program monitoring through key metrics and health assessments.
Develop custom integrations and detections for enterprise-grade security systems.
Gain insights into Detection as Code implementations tailored to your organization.

Author(s)

Dennis Chow is a seasoned expert in security detection engineering, with deep experience in developing and implementing advanced automated detection systems. He has worked extensively with tools and technologies pivotal to threat detection and prevention. Through his clear and organized writing, Dennis aims to provide actionable knowledge practitioners can directly apply to their roles.

Who is it for?

This book is perfect for security engineers or analysts tasked with developing scalable detections and managing security infrastructures. It is especially valuable for those familiar with programming and security operations seeking to automate processes. Readers interested in DevSecOps practices and advanced detection engineering will benefit greatly from this resource.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781837636419

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills