During the “Sunset” phase the detection is taken out of commission. The phase wants to ensure that resources are not spent for outdated detections that are no longer applicable and at the same time leave sufficient trace of the existence of the detection.
High level goals for the Sunset phase:
| Functions | Goal | Description | Guidelines |
|---|---|---|---|
| Decommission | Decommission the detection | The goal is to decommission the detection by following process that provides visibility | In order to decommission a detection simply change the status field to "Sunset" in the .yml file. Assuming your devops pipeline is configured correctly, this should effectively disable the detections and prevent it from running. Note: Do not remove anything from the repository as detections can be reused in future. |
| Knowledge base update | Create an adequate indication in the KB document that the detection is no longer active and socialize the change with your security teams. | Update Mitre coverage map by removing the coverage that the detection was providing |