This article provides guidance on how to document a case in security operations. When you triage security events, investigate something suspicious, or respond to an incident, what you record is important. It provides evidence that your investigation was thorough, accurate, and correct. For complicated incidents, your notes support your team. They also allow others to learn from your past work.

Do you use CrowdStrike Event search heavily? Do you come up against the 7-day data retention limit? Do you want to keep some data longer and still search it? This article explains how to manualy export events from CrowdStrike Falcon Event Search and then import that into Splunk for correlation, preservation, or further analysis.

Did you know that the MITRE book [11 Strategies of a World-Class Cybersecurity Operations Center](https://www.mitre.org/news-insights/publication/11-strategies-world-class-cybersecurity-operations-center) has appendices outlining the documentation framework need for Security Operations. This includes Detection Engineering!

I have created a page to track my notes as I develop a better understanding of Detection Engineering. I am doing my best to be a good librarian and curate authoritative references, frameworks, articles, books, courses, standards, and more. If you want to learn or improve your Detection Engineering practices, I hope this helps expedite your journey!

In Security Operations we frequently have to investigate DNS and IP addresses to determine if they are known threat or to attribute them to some activity or owner. This article contains a list of free, trial, or open-source resources for performing address analysis.