Skip to content

Quick start: Defend

Sekoia Defend is your extended detection and response platform. In five steps, you will connect your first data source, verify that events are flowing into the platform, activate detection rules, triage your first alert, and set up a basic automated response. By the end of this guide, your SOC environment will be operational.

Learning goal

After completing this guide, you will be able to:

  • Connect at least one data source and verify event reception
  • Activate detection rules and understand coverage across the MITRE ATT&CK framework
  • Navigate and triage alerts
  • Activate a playbook to automate a response action

Prerequisites

  • You have logged in to Sekoia and your account is active.
  • Your workspace administrator has confirmed your subscription is active (see Understand your subscription).
  • You have the Analyst or Admin role in your community.

Admin access required for Step 1

Connecting a data source (creating an intake) requires Admin access or a custom role with intake management permissions. If you do not have this access, ask your administrator to complete Step 1 and then continue from Step 2.

The five steps

Step What you do Time estimate
Step 1 Connect a data source 10-20 min
Step 2 Verify event reception 5-10 min
Step 3 Activate detection rules 10-15 min
Step 4 Triage your first alert 15-30 min
Step 5 Automate with playbooks 15-20 min

Outcome

When you complete all five steps, you will have a functioning Sekoia Defend environment that collects your logs, detects threats in real time, and surfaces alerts for investigation. You will also have your first automated response workflow active.

Prefer to learn with video?

Each step in this guide is also covered in the Sekoia Academy. Visit the Academy to follow along with video tutorials.