The article explains how Detection as Code brings software engineering discipline to security detections by adding version control, peer review, testing, rollback, and traceability through Terraform. It also shows a Rapid7 Terraform example for an encoded PowerShell detection mapped to T1059.001, along with AI-assisted rule writing and import support for existing UI-built rules. #Rapid7 #Terraform #PowerShell #T1059.001 #IncidentCommand #InsightIDR
Keypoints
- Detection engineering is often managed manually through UI edits, wikis, and single-user saves, unlike software engineering workflows.
- Detection as Code applies version control, peer review, automated validation, and rollback to detection rules.
- Inline test cases help verify that a detection fires on malicious activity and does not trigger on benign activity.
- Terraform plan and Terraform state provide a preview and authoritative record of the detection environment.
- The article provides a Rapid7 Terraform provider example for detecting encoded PowerShell execution with high priority alerting.
- The example detection is mapped to MITRE ATT&CK technique T1059.001 and includes positive and negative test payloads.
- The workflow supports importing existing UI rules and using AI tools like Claude Code, Cursor, VS Code Copilot, and Kiro to draft detections faster.
Read more: https://www.rapid7.com/blog/post/dr-scaling-engineering-detection-as-code