Deploying Detections at Scale — Part 0x01 use-case format and automated validation
Deploying Detections at Scale — Part 0x01 use-case format and automated validation
At FalconForce, we have built a large repository of over 350 detection queries. A question we get asked a lot is: “how do you manage and deploy such a collection at scale?”
Because we want to support the infosec community we have decided to release our internally developed file format to store these detections, as well as our automated tools that can be used to manage and validate a repository of detections. If you are a frequent reader of our blogs, it might not come as a surprise that we focus on the Microsoft Sentinel and Microsoft 365 Defender platforms.
TL;DR
We are releasing a number of things as part of this blog post:
-
The file format for use-cases that can be used for Sentinel and Microsoft 365 Defender. This includes the json-schema definitions that can be used for automated validation of syntax and structure.
-
Example use-cases in this new format, based on detections from previous FalconFriday blog posts.
-
Tooling to validate the correctness of these files.
-
An example Azure DevOps CI pipeline to automate the validation of these files.
-
A stand-alone KQL query analyzer REST server that can verify KQL query syntax, including knowledge of the schemas used in Sentinel and Microsoft 365 Defender.
At a later stage we plan to release additional parts of our tooling that allow customization of use-cases for specific environments, managing allow-lists and automated deployment.
Cross post from medium.com, please read the full article here:
Direct link to our Github page: