How to Become a Detection Engineer

Morning: review detection performance metrics from yesterday. Alert volumes by rule, false positive rates, and any rules that fired on confirmed incidents. A credential dumping detection targeting LSASS memory access has been generating 40 false positives per day from a legitimate endpoint management tool.

You analyze the pattern, identify the distinguishing characteristics (the management tool accesses LSASS with a specific access mask and from a known parent process), and update the rule with targeted exclusions that maintain detection accuracy while eliminating the noise. Next: a new Mandiant report describes ransomware operators abusing WMI event subscriptions for persistence. Your current detection set does not cover this well.

You research the technique: the specific WMI event consumer types, the registry locations involved, how to distinguish malicious WMI persistence from legitimate IT automation. You write a Sigma rule targeting creation of suspicious WMI event consumers, test it against your detection validation framework using Atomic Red Team simulations, and verify zero false positives against a week of baseline data. The rule goes through code review before deployment. After lunch, a coverage mapping project.

You export your entire detection library, map each rule to its corresponding ATT&CK technique, and visualize gaps using the Navigator. Defense evasion shows weak coverage, specifically around process injection sub-techniques. You prioritize the three highest-impact gaps and draft detection designs for the next sprint. Late afternoon: collaboration with the threat hunting team. A hunter found a pattern of DNS queries to algorithmically generated domains correlating with a C2 channel.

You design a detection rule to catch similar DGA patterns in real-time DNS logs, converting a one-time hunt finding into persistent automated detection.