Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Detection engineering treats alerts as code: each detection rule is versioned, tested, deployed, and measured for true/false positives. The mature team owns rule SLOs (time-to-detect, FP rate, MTTD) and ships new rules through the same pipeline as application code. The immature team has tribal knowledge in Splunk dashboards.
Pipeline: write rule in Sigma → translate to your SIEM via sigmac → unit-test against malicious + benign samples → deploy → monitor FP rate → tune. Each rule has an owner and an expiry date.
Use these three in order. Each builds on the one before.
In one paragraph, explain detection-engineering-as-code.
Walk me through a Sigma rule from authoring to production deployment.
Design SLOs for a detection engineering team — what's a good MTTD target?