Module 1 Assignment: Security telemetry and threat models

Contents

Module 1 Assignment: Security telemetry and threat models#

Scenario#

You are advising a security operations center tuning AI-assisted detections before analyst rollout. The stakeholders are: SOC analyst, detection engineer, incident commander, and business system owner.

Task#

Answer the module question: What signals reveal malicious behavior?

Use the module lab and course readings to produce: detection engineering packet with threat model, false-positive analysis, and triage workflow focused on security telemetry and threat models: Map telemetry to threat hypotheses..

Required Evidence#

Define the decision or system boundary in one paragraph.
Identify the dataset, proxy data, or evidence source you used: synthetic security telemetry with login velocity, data transfer volume, process rarity, and threat labels.
Compare at least two alternatives, baselines, policies, or designs.
Report one quantitative result or structured scoring table.
Explain two failure modes and one mitigation for each.
State what additional evidence would be required before real deployment.

Submission#

Submit the completed notebook plus a 900-1200 word memo. The memo must include clear headings for context, method, evidence, risks, recommendation, and open questions.

# Assignment workspace for Module 1: Security telemetry and threat models
module = 1
decision = "What signals reveal malicious behavior?"
artifact = "detection engineering packet with threat model, false-positive analysis, and triage workflow focused on security telemetry and threat models: Map telemetry to threat hypotheses."

alternatives = [
    {"option": "baseline_or_manual_process", "strength": "", "risk": "", "evidence": ""},
    {"option": "ai_assisted_or_advanced_option", "strength": "", "risk": "", "evidence": ""},
]

recommendation = {
    "decision": decision,
    "recommended_option": "",
    "minimum_evidence_before_pilot": [],
    "monitoring_metric": "",
    "rollback_trigger": "",
}

{"module": module, "artifact": artifact, "alternatives": alternatives, "recommendation": recommendation}

{'module': 1,
 'artifact': 'detection engineering packet with threat model, false-positive analysis, and triage workflow focused on security telemetry and threat models: Map telemetry to threat hypotheses.',
 'alternatives': [{'option': 'baseline_or_manual_process',
   'strength': '',
   'risk': '',
   'evidence': ''},
  {'option': 'ai_assisted_or_advanced_option',
   'strength': '',
   'risk': '',
   'evidence': ''}],
 'recommendation': {'decision': 'What signals reveal malicious behavior?',
  'recommended_option': '',
  'minimum_evidence_before_pilot': [],
  'monitoring_metric': '',
  'rollback_trigger': ''}}

Acceptance Criteria#

Your submission is complete only if another reviewer can reproduce your reasoning from the evidence you provide. You do not need production-grade data, but you must be explicit about proxy-data limits and what would change with real institutional data.