Detection Engineering Masterclass: Part 1

Welcome to the Detection Engineering Masterclass: Part 1

Course Overview:

This course will first teach the theory behind security operations and detection engineering. We’ll then start building out our home lab using VirtualBox and Elastic’s security offering. Then we’ll run through three different attack scenarios, each more complex than the one prior. We’ll make detections off of our attacks, and learn how to document our detections. Next, we’ll dive more into coding and Python by writing validation scripts and learning how to interact with Elastic through their API. Wrapping everything up, we’ll host all our detections on GitHub and sync with Elastic through our own GitHub Action automations. As a cherry on top, we’ll have a final section on how to write scripts to gather important metrics and visualisations.

This course takes students from A-Z on the detection engineering lifecycle and the technical implementation of a detection engineering architecture.

While this course is marketed as entry-level, any prerequisite knowledge will help in the course's learning curve. Familiarity with security operations, searching logs, security analysis, or any related skillset will be helpful (but ultimately not required).

Part One Overview

This is part one of a two-part series on Detection Engineering! This course is meant to kickstart anyone interested in security analysis, detection engineering, and security architecture. 

The first part is the meat of the course, where we will go over:

• Detection Engineering Theory.

• Setting Up Our Lab.

• Working with Logging and our SIEM.

• Running Attack Scenarios to generate logs and create alerts.

• Learn how to use Atomic Red Team for testing.

The second part deals with detection as code philosophies, which will be very Python and GitHub heavy (but don't worry! I'll walk you through everything step by step.)

By the end of this two-part course, you'll have a full-stack detection engineering architecture. You'll be able to:

• Run offensive tests.

• Review the logs.

• Make alerts.

• Save alerts using a standardised template.

• Enforce template data through code.

• Programmatically push the alerts to the SIEM.

• Run periodic metrics on the detection data.

The entire course runs ~11 or so hours in length, but should take ~20-40 hours to complete fully. All code written will be available on the course GitHub in case you'd like to skip the Python-heavy sections.

Thanks for stopping by!