How do you build effective detections from logs (detection engineering)?

Effective detections are tied to real threat behaviors. Steps: - Identify high-signal log sources - Normalize fields and add context - Write detections for known TTPs - Tune to reduce false positives Always add runbooks and triage steps so alerts are actionable, not noise.