Detection Backlog
Purpose
Organize CTI-derived detection candidates by value, evidence, telemetry, readiness, and validation state.
Practitioner-Level Explanation
A detection backlog is not a wish list; compare maturity against the Israel CTI Detection Status Dashboard. Each item should record source behavior, evidence, expected value, telemetry dependency, false-positive risk, owner, readiness level, and promotion criteria. Backlog discipline prevents teams from losing good hypotheses or promoting immature logic too early.
CTI Relevance
Backlogs connect CTI priorities to engineering capacity and SOC readiness.
Common Mistakes
- Jumping from actor report to production alert.
- Skipping telemetry requirements.
- Ignoring false positives and tuning.
- Claiming coverage without validation.
Practical Workflow
- Create one row per detection idea.
- Link source and evidence.
- Record telemetry dependency.
- Score value and feasibility.
- Assign owner and readiness.
- Track testing and false positives.
- Promote, defer, or retire.
Example / Mini Case
A backup-deletion behavior may be high impact but blocked by missing process telemetry. The backlog item remains Hunt or Design until telemetry exists and tests are completed, reaching DRL-5 or above.
Analyst Checklist
- Is there a source-backed behavior?
- Is telemetry available?
- Is the hypothesis testable?
- Are false positives named?
- Is readiness level honest?
Output Artifact
Detection ID:
Title:
Source Behavior:
Evidence ID:
Technique:
Telemetry Required:
Priority:
False Positives:
Validation Status:
Readiness Level:
Owner:
Next Step:
Cross-Links
- Detection Backlog Item
- Telemetry Requirements
- Detection Readiness Levels
- Intelligence to Detection
- SOC Handoff