Skip to content

docs(1-getting-started): add opinionated MSSP walkthrough#221

Draft
maximelb wants to merge 2 commits into
masterfrom
docs/mssp-walkthrough
Draft

docs(1-getting-started): add opinionated MSSP walkthrough#221
maximelb wants to merge 2 commits into
masterfrom
docs/mssp-walkthrough

Conversation

@maximelb
Copy link
Copy Markdown
Contributor

@maximelb maximelb commented May 7, 2026
edited
Loading

Summary

Comprehensive, opinionated walkthrough that a new MSSP can run their entire LimaCharlie POC off — docs/1-getting-started/mssp-walkthrough.md, 20 parts, ~2,660 lines, designed to be self-contained (the reader rarely needs to leave the page for the day-1 work).

Wired into the Getting Started nav (right after Core Concepts), linked from docs/1-getting-started/index.md, and cross-linked from the existing use-cases/mssp-msp-mdr.md overview as the practical companion.

Article structure

Uses a fictional MSSP (Northwind Security) with three sample customers (ACME, Globex, Initech) to keep examples concrete throughout.

  1. Mental model — five primitives, four data streams (with sample event JSON, sample detect record), three access rules
  2. Day 0 — regions, the internal control-org pattern, Unified Billing, billing math by source/size, Strict SSO from day zero
  3. Control-org bootstrap — CLI, baseline Org API key (REST + permission grouping), JWT exchange, first Hive Secret, the standard MSSP extension kit (9 extensions)
  4. Customer-org template anatomy — the 9 layers
  5. What to connect in (telemetry) — sensor install commands for Windows EXE/MSI/PowerShell, Linux deb/binary, macOS; sleeper-mode end-to-end flow; full adapter YAML for M365/Okta/CloudTrail (S3+SQS); As-a-Service vs on-prem deployment options with systemd unit template; tag-based segmentation; Exfil Watch Rule examples; Day-1 telemetry smoke test per source
  6. Detections in 30 minutes — Sigma → Soteria → Community Rules; top-10 EDR event types; 8 production-ready detection patterns (simple, nested boolean, stateful with-child, stateful with-events count/window, behavioral suppression-as-state, geo-lookup behavioral, threat-feed lookup, sensor-variable cross-rule state); FP rule layering; unit tests with full example; replay; common pitfalls
  7. Queries and threat hunting (LCQL) — query shape, console/CLI/REST, cost estimation, 15 ready-to-use MSSP-baseline LCQL queries as a saved library, template-string reference, AI-agent integration
  8. Alerting & Cases — full Cases config YAML (severity, SLA, auto-grouping, retention), case lifecycle CLI cookbook, tailored ingestion mode walkthrough, Slack/Teams/PagerDuty/Twilio fanout pattern, webhook with HMAC verification, real-time WebSocket
  9. Outputs — four streams with sample event JSON; recommended pattern table; concrete output configs for S3 (with IAM policy), syslog/TLS, BigQuery (with custom_transform), webhook; allowlisting at the edge
  10. Multi-tenant access — three rules, root-account pattern, five-OG model from mssp-demo (Administrators / Analysts / Viewers / Auditors / Break-Glass active-responders), permission groupings for automation use cases, full bash onboarding script, quarterly access verification script
  11. NEW: Sensor commands and live response — top sensor commands by category, cross-fleet selectors, Reliable Tasking for offline sensors with full curl example, isolation as automated response action
  12. NEW: Forensics and IR extensions — Artifact (WEL/MUL/PCAP), Dumper (memory), Velociraptor, Atomic Red Team for testing detections, YARA Manager, Payload Manager
  13. NEW: Threat intelligence and lookups — Lookup Manager IaC with real public feeds (AlienVault, Tor, Talos), lookup-driven D&R, MSSP-managed soc-blocked-{ips,hashes,domains} pattern that turns one investigation into ongoing protection
  14. AI: agentic SOC — D&R-driven vs user, lean-soc architecture mermaid + cost profile, full IaC YAML for triage and investigator agents with the production prompts from lc-ai, responder workflow snippets (isolation, IOC blocking, human-in-the-loop via Feedback ext), sample reporter daily report, mandatory cost guardrails, Bedrock/Vertex BYO-provider note
  15. Infrastructure as Code — Infrastructure + Git Sync extensions, mssp-demo repo layout (concrete file tree with global/customers/templates), all.yaml, customer main.yaml with global+local includes, real installation_keys.yaml and outputs.yaml examples, secrets-as-references, bootstrap-from-existing-org, dry-run gating, Git Sync deploy-key setup commands, CI workflow example
  16. Cost guardrails & operational hygiene — Usage Alerts IaC YAML, Sensor Cull rules, audit-review cadence, sleeper-when-idle, replay-before-prod, output billing per stream, FP-rate review loop
  17. NEW: End-to-end 10-step smoke test — concrete validation with expected results for sensor connectivity, adapters, detections, cases, alert delivery, outputs, AI agents, IaC round-trip, audit forwarding, access verification
  18. One-page onboarding playbook (target <60 min)
  19. 12-month maturity ladder
  20. Suggested next steps (10 reading priorities + 7 actions)

Stats

  • 2,662 lines (was 813, +2,066 net insertions)
  • 100+ internal cross-references, all verified to resolve
  • Concrete bash, YAML, JSON, and config snippets throughout — no "see X" without showing X first when it matters

Test plan

  • mkdocs builds cleanly
  • Article renders correctly in the rendered site
  • Nav entry "Starting an MSSP — Walkthrough" appears under Getting Started
  • Link from use-cases/mssp-msp-mdr.md tip box works
  • All ~100 internal cross-references resolve (verified locally)
  • markdownlint-cli2 passes

🤖 Generated with Claude Code

maximelb and others added 2 commits May 7, 2026 10:44
@maximelb @claude
docs(1-getting-started): add opinionated MSSP walkthrough
4f72935 
Adds a long-form, end-to-end walkthrough for service providers
starting on LimaCharlie: control-org bootstrap, customer-org
template, telemetry (sensors + adapters + sleeper), starter
detections, LCQL hunting, alerting/Cases, outputs, multi-tenant
access, AI agents, IaC with Git Sync, cost guardrails, an
onboarding playbook, and a 12-month maturity ladder.

Wired into the Getting Started nav, linked from the index, and
cross-linked from the existing MSSP use-case page.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@maximelb @claude
docs(1-getting-started): expand MSSP walkthrough into a self-containe…
c2a9336 
…d POC guide

Comprehensive expansion of the MSSP walkthrough so a new MSSP customer can run
their entire POC off this single page. Now 20 parts / ~2,660 lines / +2,066 net
insertions, covering:

- Concrete worked example (Northwind Security with ACME, Globex, Initech)
- Real install commands for Windows (EXE / MSI / PowerShell), Linux (deb /
  binary), macOS, with the actual self-contained PowerShell script to send
  customer IT
- Full adapter YAML for Microsoft 365, Okta, AWS CloudTrail (S3 + SQS) with
  hive secret references throughout
- Adapter deployment options (As-a-Service, on-prem, Windows service, Linux
  systemd unit template)
- Day-1 telemetry smoke test per source (what to do, what to look for)
- Detection pattern catalogue with 8 production-ready rules covering simple,
  nested, stateful (with child / with events), behavioral (suppression-as-state),
  threat-feed-driven, and sensor-variable patterns
- Top-10 EDR event-type reference, common detection-writing pitfalls
- Full Cases extension config YAML (severity, SLA, auto-grouping, retention),
  case lifecycle CLI cookbook, tailored ingestion mode walkthrough
- Concrete output configs for S3 (with IAM policy), syslog/TLS, BigQuery (with
  custom_transform), webhook (with HMAC verification explanation), Slack with
  step-by-step provisioning
- 15 ready-to-use MSSP-baseline LCQL queries committed as a saved-query library
- Template strings quick reference
- Five-OG access model from mssp-demo (Administrators / Analysts / Viewers /
  Auditors / Break-Glass active-responders), root-account pattern, permission
  groupings for common automation use cases, full onboarding bash script,
  quarterly access verification script
- New: sensor commands and live-response section — top commands by category,
  cross-fleet selectors, Reliable Tasking for offline sensors, isolation
  automation pattern
- New: forensics & IR extensions — Artifact, Dumper, Velociraptor, Atomic Red
  Team, YARA Manager, Payload Manager
- New: threat-intel & lookups — auto-refreshing public feeds (AlienVault, Tor,
  Talos), lookup-driven detections, MSSP-managed soc-blocked-ips/hashes/domains
  pattern that turns one investigation into ongoing protection
- AI: full IaC YAML for triage and investigator agents from the lean-soc
  reference, responder workflow snippets, sample reporter daily report,
  cost-guardrail checklist, Bring-Your-Own provider note
- IaC: mssp-demo repo layout (concrete file tree, all.yaml, customer main.yaml
  with global+local include pattern, real installation_keys.yaml, real
  outputs.yaml), bootstrap-from-existing-org flow, Git Sync deploy-key setup,
  CI workflow example
- New: end-to-end 10-step smoke test with expected results
- Billing math (per-source GB/day estimates by company size), three cost rules
  of thumb, output billing per stream

All 100+ relative cross-references resolve to real files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maximelb