CoursesDetection engineeringDetection-as-code & Sigma

Detection as code

Version-controlled, tested, CI/CD-deployed detections.

Advanced30 min · lesson 1 of 15

Detection engineering treats detections the way software engineering treats code — and detection as code is the discipline that makes a detection program reliable, auditable, and improvable instead of a pile of one-off console queries nobody remembers writing.

Detections are software

A detection is logic that consumes telemetry and emits an alert — so it deserves the same rigor as any other logic: it lives in version control, is peer-reviewed, is tested against known-good and known-bad samples, and ships through CI/CD to the SIEM. The alternative — analysts hand-typing rules into a console — produces detections nobody can review, that silently break when log formats change, and that no one can reproduce after a platform migration. Detection as code makes the security posture legible: you can answer who wrote a rule, why, when it changed, and whether it actually fires.

a detection lives in git, tested and deployed
detections/
credential-access/
aws-console-login-without-mfa.yml # the rule (Sigma)
aws-console-login-without-mfa.test.yml # true-positive + true-negative samples
ci.yml # lint → test → deploy
# CI: for each rule, run it against the test logs and assert:
# - fires on the malicious sample (true positive)
# - stays quiet on the benign sample (true negative)
# Only passing rules deploy to the SIEM. A regression is a failed build.

The feedback loop

Detection as code enables the loop that defines a mature program: a threat hunt or incident reveals a technique, an engineer writes a detection for it, tests prove it fires, CI deploys it, and metrics track its performance — feeding the next iteration. Version control gives you history and rollback, so a noisy or broken rule is a revert rather than a scramble. Community rule sets (Sigma repos) become a starting point you tune and validate rather than trust blindly. The result is coverage that grows deliberately and visibly, with every detection an artifact you can reason about.

Detection as code
as software
version-controlled
history, review, rollback
tested
true-positive + true-negative samples
CI/CD to the SIEM
validated rules deploy automatically
the loop
hunt/incident → rule
findings become detections
metrics → iterate
measure and improve coverage
Detections are code: reviewed, tested, deployed, measured. That is what turns scattered rules into a program that improves.
A console-only rule is an untested, unreviewable liability
Rules typed directly into the SIEM have no review, no tests, and no history — they break silently when logs change and vanish in a migration. Move detections into version control with tests and CI so every rule is reproducible, reviewable, and proven to fire.