Field Notes · June 2026
A Detection Is More Than a Query
A practical framework for turning an interesting search into an operationally useful detection.
Start with behavior
A useful detection begins with a behavior worth finding, not a tool feature. State what the adversary is trying to accomplish, then identify the observable evidence that the environment can reliably produce.
Record the assumptions
Document required data sources, expected field mappings, normal administrative activity, and known blind spots. This turns hidden context into something a reviewer can test.
Make validation repeatable
Generate a known-positive event in a controlled environment. Save the procedure, timestamp, host, expected telemetry, and actual result. If another analyst cannot reproduce the alert, the detection is not finished.
Design the investigation
Include a short triage path: what to verify first, which entities to pivot on, what raises severity, and which evidence supports closure. The query finds a signal; the investigation guidance makes it operational.