Primarily focused on providing high-level information, references, and background.
A succinct statement that describes the detection (e.g. Detect Communication with a Known-Bad IP).
List applicable compliance frameworks and specific components this Detection relates to.
List applicable MITRE ATT&CK Framework Tactics/Techniques this Detection relates to.
Describes any assumptions/limitations regarding law, licensing, policies, or technicalities.
Insight on the actions of and tools for those who are expected to monitor and respond.
Describes how the detection will bring attention to itself. This typically involves monitors, dashboards, reports, emails, alerts, etc.
Describes which one or more playbooks should be followed in handling the detection.
The necessary steps and content construction that fulfills the Detection. If the Detection and all its components were lost, this section should allow complete reconstruction.
The base components that provide business logic, display, and notification.
Methods to ensure the Detection was developed and is operating properly. These can be pass/fail, time based, or other relevant measurements. When possible, include an automated script or manual steps to cause the alert to fire on demand (i.e. attack simulation).
Specific actions to reproduce events that are expected to be detected/highlighted by Playbooks components.
Any useful resources or references that can help understand the vulnerability, attack, detection logic, affected software, protocols, etc.