Detection Engineering II • Room 3

Detection Lifecycle

Detections are code, and must follow a lifecycle: Design, Build, Test, Deploy, Tune, and Deprecate.

Testing a detection involves creating dummy data using `makeresults` or replaying PCAP traffic to ensure the alert triggers correctly before moving it to production.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Use the `makeresults` command followed by `eval user="hacker"` to generate a dummy test event for a detection rule.

Splunk Search Bar