Question: Are detection rules and use-cases defined, tested, and mapped to frameworks (e.g., MITRE ATT&CK) with clear response playbooks?
Why This Matters
Detections without design create noise. Mapping to frameworks and testing ensures meaningful alerts tied to response actions and measurable outcomes.
Maturity
0 — Unaware
No formal detections; rely on vendor defaults.
No formal detections; rely on vendor defaults.
1 — Ad Hoc
Some custom rules exist; untested; no mappings.
Some custom rules exist; untested; no mappings.
2 — Defined
Core threat scenarios documented; baseline rules written.
Core threat scenarios documented; baseline rules written.
3 — Managed
Rules tested in staging; mapped to ATT&CK; linked to playbooks.
Rules tested in staging; mapped to ATT&CK; linked to playbooks.
4 — Integrated
Continuous tuning; version control; purple-team exercises.
Continuous tuning; version control; purple-team exercises.
5 — Optimized
Telemetry-driven rule lifecycle; automated coverage and drift checks.
Telemetry-driven rule lifecycle; automated coverage and drift checks.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Identify top 10 threats; write simple correlation queries. |
| 1 → 2 | Create rule templates and mapping to ATT&CK techniques. |
| 2 → 3 | Stand up test data; validate rules and playbooks together. |
| 3 → 4 | Version control rules; schedule purple-team drills. |
| 4 → 5 | Automate coverage metrics and deprecation of low-value rules. |
Enablers
- People: Detection engineer, SOC, incident responder.
- Process: Rule lifecycle (create→test→deploy→tune), change control, mapping SOP.
- Technology: SIEM/SOAR, ATT&CK navigator, test harness.
Evidence
- Rule repository with mappings and change history.
- Test results and deployment approvals.
- Playbooks linked to detections.
KPIs
- True positive rate and mean time to detect.
- Rules with mapped playbooks (%).
- Coverage across ATT&CK tactics/techniques.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Rules | Sigma / Wazuh | Portable detection content. |
| Testing | Atomic Red Team | Safe technique emulation. |
| Mapping | ATT&CK Navigator | Visualize coverage. |
Common Pitfalls
- One-off rules with no owners.
- Excessive false positives.
- No linkage to response steps.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | A.8.16 / A.5.23 (Information security event reporting) |
| CERT-In 2022 | Monitoring & Incident Handling |
| DPDP Act 2023 | Sec 8–10 (Safeguards, Accountability) |
| NIST CSF 2.0 | DE.AE / RS.MI |
| NIRMATA Mapping | MD-Q03 ties detections to actionable response. |