Skip to content

Detection as Code

The RBA Community wants to be a front-runner for Detection as Code. We believe this will be crucial for organizations looking to build a modern SOC. So what is Detection as Code?

What is DaC

"Detection as Code" (DaC) is a concept that extends the principles of Infrastructure as Code (IaC) and DevOps practices to the realm of security and threat detection. It involves automating the configuration, deployment, and management of security detection and monitoring tools and rulesets using code and automation tools.

Here are the key components and ideas associated with Detection as Code:

  1. Automation: Just like Infrastructure as Code automates the provisioning of infrastructure resources, Detection as Code automates the deployment and management of security monitoring and detection tools. This can include setting up intrusion detection systems (IDS), intrusion prevention systems (IPS), log management solutions, SIEM (Security Information and Event Management) platforms, and more.

  2. Code: Security configurations and rulesets are defined in code (typically using declarative languages or scripts). This code can be version-controlled, reviewed, and tested just like application code or infrastructure code. It allows security teams to define detection rules, alerting thresholds, and responses in a structured and reproducible manner.

  3. Integration: DaC integrates with existing DevOps pipelines and workflows. This means that security configurations and monitoring rules can be seamlessly integrated into the software development and deployment processes. Security becomes an integral part of the development lifecycle rather than a separate phase.

  4. Continuous Monitoring: DaC promotes the idea of continuous monitoring and real-time threat detection. It ensures that security rules are consistently enforced and monitored as the infrastructure and applications evolve.

  5. Scalability: Automation allows for the easy scaling of security monitoring capabilities as the infrastructure grows. As new resources are provisioned, the necessary security configurations are automatically applied.

  6. Compliance and Auditing: DaC can help with compliance by ensuring that security policies and configurations are consistently applied across the environment. It also provides audit trails and documentation of security configurations and changes.

  7. Resilience: By automating security detection and response, organizations can respond more quickly and effectively to security incidents, reducing the potential impact of breaches.

In summary, Detection as Code is a security approach that treats security monitoring and detection as a code-driven, automated process. It aligns with modern DevOps practices to ensure that security is not a bottleneck in the development and deployment pipeline but rather an integrated and automated part of the process. This approach can improve an organization's overall security posture and its ability to respond to threats in a timely manner.

Helpful Resources

.Conf Talks

SEC1847A - Deploying Detection as Code at Scale

SEC1197C - Build Detection as Code Like the Splunk Threat Research Team

Content Development Tools

Splunk's Content Control Tool (contentCTL)


GPT-4 Assisted Detection Engineering