___ # Tags #threat-detection #threat-detection-engineering #unfinished # Helpful Docs - https://academy.tcm-sec.com/courses/enrolled/2137578 # Notes - This course is one I've paid for and isn't free and open like some of the other material I post here, these notes exist for my benefit and are not a substitute for the actual course itself #### Security Operations - Typically consists of CTI (cyber threat intelligence), CTH (cyber threat hunting), CTDE (cyber threat detection engineering), CIR (cyber incident response) all working in tandem with each other, enriching the entire operation #### What Makes a Good Threat Detection - Response Feedback - Is the alert missing information or logic? - False positive ration / fidelity - How is the true positive detection rate? - Timeliness - Does the alert trigger fast enough to initiate a response to it? - Specificity - Is there unrelated activity in the alert? - Testability - Can you perform unit tests against the alert? - Compensating controls - Is the alert triggering on an identified gap in security tooling? #### Testing Capabilities and Frameworks - Atomic Red Team - Bloodhound - Caldera AttackIQ - Splunk Attack Range