Phase 3️⃣ Sunset 🌆

During the “Sunset” phase the detection is taken out of commission. The phase wants to ensure that resources are not spent for outdated detections that are no longer applicable and at the same time leave sufficient trace of the existence of the detection.

High level goals for the Sunset phase:

  • Decommission the detection and leave it in a state that it can be resumed anytime
  • Preserve knowledge
DecommissionDecommission the detectionThe goal is to decommission the detection by following process that provides visibilityIn order to decommission a detection simply change the status field to "Sunset" in the .yml file. Assuming your devops pipeline is configured correctly, this should effectively disable the detections and prevent it from running.
Note: Do not remove anything from the repository as detections can be reused in future.
Knowledge base updateCreate an adequate indication in the KB document that the detection is no longer active and socialize the change with your security teams.Update Mitre coverage map by removing the coverage that the detection was providing

Sunset Process Flow

graph TD; Review1[Review completed] --> Review2; Review2{detection ready to decom} -->|no| End[end]; Review2{detection ready to decom} -->|yes| Preserve(Preserve knowledge); Preserve --> Decommission(Decommission the detection);