So here鈥檚 a genuine question to those of you who actually run detective engineering teams: What do you consider as good inputs to that team?
We could consider these as tickets, but what should those tickets contain?
There seems to be a question of whether or not things should be broken down and spoonfed to a detection engineering team (think actual ELK queries or Sigma rules that they simply verify or tune), or if you should leave some things open to interpretation so that the team has something that they can research as well (think links to articles, incident reports, or threat reports).
Or maybe it鈥檚 something in between where you give them command lines, persistence, mechanisms, hashes, and other indicators.
Or is it possible that these things vary depending on the skill level of the individual involved?

