Chapter Ten · Priya Fights Back
Detection and Monitoring
The intruder's campaign has run through Meridian's controls, and some of it got through. This is where Priya's SOC catches it — turning logs into detections, writing the rules that fire on the intruder's techniques, and hunting for what the rules missed. Detection is what turns "assume breach" from a slogan into an outcome.
Prevention fails eventually — that is the assumption the whole book is built on — so the measure of a security program is how fast it detects the failure and how fast it responds. This chapter is the detection half: collecting the right data, correlating it into meaningful alerts, writing detections against the intruder's techniques, hunting for what automated rules missed, and measuring the whole thing by the numbers that matter.
Five topics: logging that actually helps, SIEM and correlation, detection engineering with Sigma, threat hunting, and measuring detection with MTTD and MTTR. The recurring theme is that the value of a detection system is not how many alerts it generates but how many a human can act on — and how quickly the attacker is caught.