Challenge
A European energy provider operating both traditional IT infrastructure and operational technology (OT) environments needed a unified detection strategy. Their existing SIEM had minimal coverage of ICS-specific threats, and detection rules were managed manually with no version control or testing.
Approach
Crimson7's detection engineering team implemented a comprehensive detection-as-code program:
- Mapped the client's environment to MITRE ATT&CK for Enterprise and ICS frameworks
- Developed detection rules in a structured, version-controlled format
- Built automated testing pipelines for rule validation before deployment
- Created custom detections for Modbus, DNP3, and OPC-UA protocol anomalies
Results
The program delivered over 120 production-ready detection rules covering both IT and OT environments. The detection-as-code pipeline reduced rule deployment time from days to hours, and ICS-specific MITRE ATT&CK coverage reached 85%.