About this project
Structured detection engineering programme for Splunk SIEM — covering detection-as-code, alert lifecycle management, false-positive reduction, and MITRE ATT&CK alignment across enterprise telemetry sources.
Background
A SIEM without a detection engineering discipline is expensive noise generation. The Splunk deployment at Accent Group had accumulated hundreds of alerts over several years, many of them poorly tuned, most of them generating more tickets than could be actionably worked. The detection engineering programme was an intervention: reset the approach, version-control everything, and build quality gates into the process.
Detection-as-code means every SPL rule lives in version control with a description, severity, MITRE ATT&CK mapping, false-positive guidance, and a peer review requirement before it goes live. That discipline forces you to think through the detection before you deploy it — what exactly is this detecting, what are the benign triggers, what does an analyst need to know to triage it? The review gate catches poorly-scoped rules before they generate noise.
The MITRE ATT&CK coverage map was built to identify gaps rather than celebrate coverage. Knowing which techniques you're detecting is less useful than knowing which high-risk techniques you're not detecting. The map drives prioritisation: build detections for the techniques most relevant to your threat model first, not the ones that are easiest to write. SOAR playbook integration handles the tier-1 triage for common, well-understood alert types, which frees analysts for investigation work.
Highlights
- Detection-as-code: all rules version-controlled with peer review gates
- MITRE ATT&CK coverage map — identifies gaps, prioritises high-risk techniques
- Alert severity tuning framework to reduce analyst fatigue
- Automated enrichment: threat intel lookups and asset context injection
- SOAR playbook integration for tier-1 triage automation