Detection engineering creates and maintains detection rules and queries that identify attacker TTPs in SIEM, EDR, and NIDS systems — translating threat intelligence into working detections.
Detection engineers write Sigma rules (generic), Suricata/Snort rules (network), YARA rules (malware signatures), and SIEM queries (Splunk SPL, EQL). MITRE ATT&CK maps techniques to detection opportunities.