Sample Report Request Assessment
Labs

Detection Engineering
Signals over signatures. Patterns over point rules.

Detection engineering at Wolfe Defense Labs is about building the smallest possible set of high-value signals that survive attacker adaptation—and that smaller teams can actually run. We focus on cloud, identity, and endpoint telemetry, and how they intersect in real investigations.

Cloud & identity-centric detections Small-team friendly signal design Tied directly to IR playbooks

The output isn’t just rules—it’s detection patterns, validation workflows, and runbooks that show what to do when the signal fires.

Apply this work to your environment
Philosophy

How we think about detection engineering

Most teams don’t need more alerts; they need better signals tied to how attacks and investigations actually unfold. We design with that constraint in mind.

Outcome-driven

Signals that change decisions

A detection is only valuable if it leads to a different outcome than if it never fired.

  • We tie each signal to a concrete investigation path
  • We document expected actions & escalation
  • We prioritize “few, high-value” detections over volume
Context-aware

Identity, cloud & endpoint together

No single log source tells the whole story. We focus on how they intersect:

  • Cloud identity (Entra ID, Workspace) + device context
  • Application logs and SaaS audit trails
  • Correlating “boring” events into meaningful patterns
Small-team reality

Detections you can actually maintain

We assume limited time, people, and tooling. That changes how we design:

  • Preference for durable heuristics over fragile rules
  • Sane requirements for log volume and retention
  • Alert flows that don’t assume a 24/7 SOC
Focus areas

Where we invest detection engineering effort

We prioritize the points where attackers get disproportionate leverage and where good signals can be reused across organizations.

Cloud & identity

Suspicious access & token behavior

We design detections around how access is granted, escalated, and abused:

  • Unusual MFA patterns and sign-in locations
  • Risky app consent & role assignment events
  • Token misuse and long-lived session behavior
Endpoints & lateral movement

Movement across internal systems

Not every environment can deploy every EDR feature, but many can still detect:

  • Abnormal admin usage and remote tooling
  • Credential dumping precursors and artifacts
  • File, process, and service anomalies that tie back to known paths
SaaS & business workflows

Abuse of “normal” activity

We look at detection opportunities inside business systems:

  • Mailbox rule abuse & exfil patterns
  • Automation rules and webhook misuse
  • High-risk changes in CRM, ticketing, and finance tools
Patterns

Representative detection patterns we study

Each of these patterns becomes a combination of log source guidance, queries or rules, and an investigation mini-playbook.

Pattern

“Benign” sign-in anomaly + mailbox rule

Many intrusions start with a single compromised account:

  • Detect sign-ins from unusual locations or devices
  • Correlate quickly with new or modified mailbox rules
  • Drive immediate checks for forwarding, exfil, and OAuth consent
Pattern

Admin role changes near risky app activity

Attackers often escalate privileges then register or modify apps:

  • Monitor privileged group and role changes
  • Watch for app registrations, credential changes, or added secrets
  • Frame investigations around “who can act as whom” in cloud
Pattern

Lateral movement without malware

We look for remote tooling patterns rather than specific binaries:

  • Abnormal RDP, PsExec, WinRM, or remote registry usage
  • Clusters of admin authentication failures and successes
  • Cross-correlating endpoint events with identity and logon sources
Applied output

Where detection engineering shows up for you

The lab work here doesn’t stay theoretical. It directly shapes our solutions, services, and the content we create for clients and partners.

Playbooks & runbooks

Detection patterns are paired with investigation steps and decision points, used in Incident Readiness services and customer IR material.

Platform-specific guidance

Concrete examples and queries for M365, Entra ID, Google Workspace, and common log aggregation platforms, tailored to realistic log volumes.

Signal catalogs for small teams

A prioritized list of “if you can only do X detections, do these” for organizations that don’t have a full SIEM team or 24/7 coverage.

Training & workshops

We turn these patterns into working sessions for defenders—walking through real-world examples and practicing triage & investigation flows.

Need better signals, not just more alerts?

We use this detection engineering work to help teams build a signal set they can actually own—tied directly to realistic threats and response playbooks.

Apply this work to your environment See related guides & checklists