Module 5 Assignment: Detection engineering and evaluation

Contents

Module 5 Assignment: Detection engineering and evaluation#

Scenario#

You are advising a security operations center tuning AI-assisted detections before analyst rollout. The stakeholders are: SOC analyst, detection engineer, incident commander, and business system owner.

Task#

Answer the module question: How do we measure detection quality?

Use the module lab and course readings to produce: detection engineering packet with threat model, false-positive analysis, and triage workflow focused on detection engineering and evaluation: Create detection rules and evaluate false positives..

Required Evidence#

Define the decision or system boundary in one paragraph.
Identify the dataset, proxy data, or evidence source you used: synthetic security telemetry with login velocity, data transfer volume, process rarity, and threat labels.
Compare at least two alternatives, baselines, policies, or designs.
Report one quantitative result or structured scoring table.
Explain two failure modes and one mitigation for each.
State what additional evidence would be required before real deployment.

Submission#

Submit the completed notebook plus a 900-1200 word memo. The memo must include clear headings for context, method, evidence, risks, recommendation, and open questions.

# Assignment workspace for Module 5: Detection engineering and evaluation
module = 5
decision = "How do we measure detection quality?"
artifact = "detection engineering packet with threat model, false-positive analysis, and triage workflow focused on detection engineering and evaluation: Create detection rules and evaluate false positives."

alternatives = [
    {"option": "baseline_or_manual_process", "strength": "", "risk": "", "evidence": ""},
    {"option": "ai_assisted_or_advanced_option", "strength": "", "risk": "", "evidence": ""},
]

recommendation = {
    "decision": decision,
    "recommended_option": "",
    "minimum_evidence_before_pilot": [],
    "monitoring_metric": "",
    "rollback_trigger": "",
}

{"module": module, "artifact": artifact, "alternatives": alternatives, "recommendation": recommendation}

{'module': 5,
 'artifact': 'detection engineering packet with threat model, false-positive analysis, and triage workflow focused on detection engineering and evaluation: Create detection rules and evaluate false positives.',
 'alternatives': [{'option': 'baseline_or_manual_process',
   'strength': '',
   'risk': '',
   'evidence': ''},
  {'option': 'ai_assisted_or_advanced_option',
   'strength': '',
   'risk': '',
   'evidence': ''}],
 'recommendation': {'decision': 'How do we measure detection quality?',
  'recommended_option': '',
  'minimum_evidence_before_pilot': [],
  'monitoring_metric': '',
  'rollback_trigger': ''}}

Acceptance Criteria#

Your submission is complete only if another reviewer can reproduce your reasoning from the evidence you provide. You do not need production-grade data, but you must be explicit about proxy-data limits and what would change with real institutional data.