Templates created as part of Nigel Boston’s TI Essentials article: "Are we exposed?” The CTI Fusion Playbook for end-to-end exposure validation" | Published March 19, 2026 | feedly.com/ti-essentials/
One card per detection. Defines what the detection needs, when to escalate, who owns it, and how often it gets retested. Fill this out when a detection passes validation and enters production.
| Detection Name | e.g. Credential replay / impossible travel |
|---|---|
| Technique Mapping | e.g. T1078 / Valid Accounts |
| Severity | Critical / High / Medium / Low |
| Owner | Team responsible for this detection |
| Detection Logic | What does this detection do? Describe the triggering conditions and the behavior it identifies. Be specific enough that someone unfamiliar with the rule can understand what fires it. |
| Required Telemetry Fields | List the log fields this detection depends on. If any of these fields stop populating, the detection breaks. e.g. user_principal_name, source_ip, geo_location, timestamp_utc |
| Data Sources | e.g. Azure AD sign-in logs, VPN gateway logs, Okta system log |
| Escalation Criteria | When does this alert get escalated, and to whom? Define the conditions for Tier 2 handoff and incident response activation. Include any exclusions (service accounts, known IP ranges, etc.). |
| Regression Cadence | e.g. Quarterly (BAS + manual) |
| Last Validated | Date of last successful test |
| Known Limitations | What does this detection miss? Document edge cases, false positive sources, environmental constraints, or conditions where the rule degrades. This is the institutional memory that keeps the next person from relearning the hard way. |
| Version Control | v1.0 |
This resource contains three templates in the same spreadsheet: Exposure Scoring, Gap Registry, and Executive Scorecard.
You can access the template here: