Summary
Detections and alerting are the bread and butter of any SOC environment, and it’s important that you can determine which ones are successful and which ones need some help. You should look to set up a way to track the efficacy of alerts and audit the detection rules on a rotating basis to ensure they stay up-to-date with your potentially changing environment. After you’ve determined what does and doesn’t work, you need to find a way to tell your story in a quantitative way that will help bring visibility to the risks, successes, SOC environment, need for resources, and so on. The skills gained from this chapter are primarily around key metrics that can be immediately captured within your environment and identifying good and bad detections. In the next chapter, we’ll talk through runbooks and about what to do after an alert is triggered, and discuss the triage process.