Add wiki page: Detection-Lifecycle

2026-05-22 12:33:08 +00:00
parent 6e71348fd1
commit 22828b074b
1 changed files with 213 additions and 0 deletions
--- a/Detection-Lifecycle.-.md
+++ b/Detection-Lifecycle.-.md
@@ -0,0 +1,213 @@
 # Detection Lifecycle
 The Detection Lifecycle module provides a structured system for the Blue Team to manage,
 validate, and track the health of detection capabilities mapped to MITRE ATT&CK techniques.
 ---
 ## Overview
 The detection lifecycle tracks three main concepts:
 1. **Detection Assets** — What you use to detect (SIEM rules, EDR policies, sensors)
 2. **Validations** — Proof that an asset correctly detected a technique
 3. **Infrastructure Changes** — Events that may have broken your detections
 These three together provide a **confidence score** per technique: how certain are we
 that our detections for technique T still work today?
 ---
 ## Detection Assets
 A detection asset represents a defensive capability that can detect one or more techniques.
 ### Asset Types
 | Type | Examples |
 |------|---------|
 | `siem_rule` | Splunk SPL query, KQL rule in Sentinel |
 | `edr_policy` | CrowdStrike prevention policy, Defender ATP rule |
 | `sensor` | Network sensor, honeypot, canary token |
 | `ids_rule` | Snort/Suricata rule |
 | `manual_review` | Human review process |
 | `custom` | Any other detection mechanism |
 ### Creating an Asset
 ```http
 POST /api/v1/detection-lifecycle/assets
 Content-Type: application/json
 {
  "name": "Splunk: PowerShell AMSI Bypass Detection",
  "asset_type": "siem_rule",
  "description": "SPL search for AMSI bypass patterns in Windows PowerShell logs",
  "owner_id": "blue-lead-uuid",
  "team": "blue",
  "platform": "Windows",
  "rule_content": "index=wineventlog EventCode=4104 ScriptBlockText=*AmsiUtils*"
 }
 ```
 ### Linking to Techniques
 ```http
 POST /api/v1/detection-lifecycle/assets/{id}/techniques/{technique_id}
 ```
 One asset can be linked to multiple techniques. One technique can have multiple assets.
 ---
 ## Validations
 A validation record proves that an asset successfully detected a technique at a
 specific point in time. This is usually created after a successful test.
 ### Creating a Validation
 ```http
 POST /api/v1/detection-lifecycle/validations
 Content-Type: application/json
 {
  "asset_id": "asset-uuid",
  "technique_id": "T1059.001",
  "test_id": "test-uuid",
  "validated_at": "2024-03-15T10:30:00Z",
  "notes": "SIEM alert fired within 47 seconds of execution",
  "confidence": "high"
 }
 ```
 ### Invalidating a Validation
 When a detection rule changes, is disabled, or the infrastructure shifts, you should
 invalidate the previous validation so the confidence score drops:
 ```http
 POST /api/v1/detection-lifecycle/validations/{id}/invalidate
 {"reason": "SIEM rule rewritten — new version not yet tested"}
 ```
 ### Confidence Levels
 | Level | Meaning |
 |-------|---------|
 | `high` | Tested within 30 days, full detection |
 | `medium` | Tested within 90 days OR partial detection |
 | `low` | Tested more than 90 days ago |
 | `unknown` | No validation exists |
 ---
 ## Infrastructure Changes
 When infrastructure changes occur (SIEM migration, EDR update, log forwarding reconfigured),
 existing validations may no longer be accurate. Recording an infrastructure change
 automatically flags affected assets and adds techniques to the revalidation queue.
 ### Recording a Change
 ```http
 POST /api/v1/detection-lifecycle/infrastructure-changes
 Content-Type: application/json
 {
  "name": "Splunk → Microsoft Sentinel Migration",
  "description": "All SIEM rules migrated from Splunk to KQL in Sentinel",
  "change_type": "siem_migration",
  "affected_asset_ids": ["asset-uuid-1", "asset-uuid-2"],
  "occurred_at": "2024-03-01T00:00:00Z"
 }
 ```
 **Effect**: All validations linked to affected assets are automatically marked as
 potentially stale. An alert rule of type `detection_gap` may fire.
 ### Revalidation Queue
 After an infrastructure change, use the ownership module to see which techniques
 need re-testing:
 ```http
 GET /api/v1/ownership/revalidation-queue
 ```
 Generate an updated queue:
 ```http
 POST /api/v1/ownership/revalidation-queue/generate
 ```
 ---
 ## Detection Dashboard
 ```http
 GET /api/v1/detection-lifecycle/dashboard
 ```
 Returns per-technique detection confidence:
 ```json
 [
  {
    "technique_id": "T1059.001",
    "technique_name": "PowerShell",
    "asset_count": 2,
    "latest_validation": "2024-03-15T10:30:00Z",
    "confidence": "high",
    "days_since_validation": 5,
    "pending_revalidation": false
  },
  {
    "technique_id": "T1078",
    "technique_name": "Valid Accounts",
    "asset_count": 1,
    "latest_validation": "2023-11-10T08:00:00Z",
    "confidence": "low",
    "days_since_validation": 125,
    "pending_revalidation": true
  }
 ]
 ```
 ---
 ## Detection Rules
 Detection rules are the concrete SIEM/EDR rule definitions linked to Aegis tests.
 They complement detection assets by providing the exact rule logic.
 ### Creating a Rule
 ```http
 POST /api/v1/detection-rules
 Content-Type: application/json
 {
  "name": "PowerShell Encoded Command Execution",
  "technique_ids": ["T1059.001"],
  "platform": "Windows",
  "rule_type": "siem",
  "rule_content": "EventCode=4104 ScriptBlockText=*-EncodedCommand*",
  "description": "Detects PowerShell execution with base64 encoded commands",
  "severity": "high",
  "is_enabled": true
 }
 ```
 ### Evaluating a Rule Against a Test
 After running a test, record whether the rule fired:
 ```http
 POST /api/v1/detection-rules/evaluate
 {
  "rule_id": "rule-uuid",
  "test_id": "test-uuid",
  "result": "triggered",
  "time_to_detect_seconds": 23,
  "notes": "Rule fired on first PowerShell invocation"
 }
 ```
 `result` options: `triggered`, `not_triggered`, `false_positive`