Detection Engineering for Beginners

Start thinking and working as a Detection Engineer!

Training for a team or organization? Contact us about group access.

Inside the Course

Scroll down to explore the skills you’ll build, the techniques you’ll master, and the requirements to get started.

Start Learning This Course Today

The All-Access Membership gives you unlimited access to this course, hands-on labs, and a complete library of cybersecurity training. Everything you need to build real-world skills is included.

View Membership Options

Questions?

If you need clarification on the course or its requirements, simply use the chat button below and our team will assist you.

Chat with Support

Difficulty: Beginner
Duration: 11h
Access: Included in Membership

Overview

This course teaches the theory behind security operations and detection engineering. We’ll then start building out our home lab using VirtualBox and Elastic’s security offering. Then we’ll run through three different attack scenarios, each more complex than the one prior. We’ll make detections off of our attacks, and learn how to document our detections. Next we’ll dive more into coding and Python by writing validation scripts and learning out to interact with Elastic through their API. Wrapping everything up, we’ll host all our detections on GitHub and sync with Elastic through our own GitHub Action automations. As a cherry on top, we’ll have a final section on how to write scripts to gather important metrics and visualizations.

This course takes students from A-Z on the detection engineering lifecycle and technical implementation of a detection engineering architecture.

While this course is marketed as entry level, any prerequisite knowledge will help in the courses learning curve. Familiarity with security operations, searching logs, security analysis, or any related skillset will be helpful (but ultimately not required).

Objectives

How to Generate Logs:

Understand the various log generating systems that Detection Engineers can use.
Learn how to create ad-hoc offensive tests to generate logs for detection creation.
Learn how to work within a testing framework to generate logs for detection creation.

Document and Validate Detections:

Understand how to properly document your detections.
Learn how to write your own code to validate your detection documents.

Use Code to Manipulate Data:

Learn how to use Python to interact with a SIEM’s API to push and pull detection data.
Learn to use GitHub Actions to facilitate all our custom checks and API interactions.
Learn how to write your own code to help create detection metrics.

System Requirements

The ability to run 2-3 VMs on a local machine:

* Ubuntu Linux

* ParrotOS

* Windows 11

Minimum Requirements:

CPU Cores: 4

RAM: 8GB

Hard Drive Space: 50GB

Recommended Requirements:

CPU Cores: 6+

RAM: 16GB+

Hard Drive Space: 50GB+

You can technically get by with the main host having only a couple cores and 8 gigs of RAM, but any additional resources that can be assigned to your VMs will make the process smoother.

Course Curriculum

Introduction
- Welcome!
Theory
- Security Operations
- Role Variety
- Security Incident and Event Management
- The Detection Engineering Workflow
- What Makes a Good Detection
- Technology Stack for Detection Engineering
- MITRE ATT&CK Framework
- Navigating the MITRE ATT&CK Matrix
Lab Setup
- Lab Overview
- File Downloads
- Importing ParrotOS into VirtualBox
- Importing Windows 11 into VirtualBox
- Ubuntu VirtualBox Installation
- Creating a VM Snapshot
- Disabling Windows Defender
- Installing Zeek
Elastic Setup
- Elastic Overview
- Signing Up for Elastic Trial
- Trial Extending and New Trials
- Elastic Agent Installation
- Confirming Zeek Logging With NMAP
- Testing Windows Elastic Agent Logging with EICAR File and PowerShell
- Sysmon Overview
- Installing and Configuring Sysmon
- Testing Sysmon Logging with EICAR File and PowerShell
- Improving Our PowerShell Visibility
Attack Scenario 1
- Attack Overview
- Setting up the Attack
- Performing the Attack
- Creating our first Query Alert
- Creating our first Threshold Alert
- Alert Confirmation
Attack Scenario 2
- Overview
- Creating and Executing Attack – Part 1
- Creating and Executing Attack – Part 2
- Reviewing the Attack
- Creating Alerts
- Confirming our Detections
Attack Scenario 3
- Overview
- Staging our Attack
- Creating and Executing our Attack
- Creating our Detections
- Confirming our Detections
Atomic Red Team
- Atomic Red Team Introduction
- Installation
- Running our First Atomic
- Writing our First Atomic
TOML
- TOML Overview
- Setting up a Development Environment
- Reviewing Elastic Rule TOML
- Working with the Elastic Detection Rules Repo
- Validating TOML Syntax Using Taplo
- Creating an Elastic TOML Template
- Enforcing TOML Required Fields
- Creating a MITRE Object in Python
- Working with Multiple TOML Files
- Validating MITRE Data in our TOML – Part 1
- Validating MITRE Data in our TOML – Part 2
- Converting and Validating our Detections
Elastic API
- Introduction
- Obtaining your API Key
- Pushing a Sample Rule
- Writing a TOML to JSON Script
- GET-ing Our First Rule and Managing Rule IDs
- Working with our Custom Detections
- Updating our Custom Detections
GitHub
- Overview
- GitHub Actions Introduction
- Uploading our Detections and Code
- Creating our TOML Validation Action
- Enforcing Validation Checks
- Syncing with Elastic – Part 1
- Syncing with Elastic – Part 2
Metrics
- Overview
- Converting our TOML to CSV
- Converting TOML to MD
- Converting our TOML to Att&ck Navigator .JSON
- Creating our Metrics GitHub Action
- Creating Status Badges
Conclusion
- Farewell

This Course Is Included in Your All-Access Membership

One membership gives you ongoing access to Detection Engineering for Beginners, every other paid Academy course, and an active community of learners and mentors in Discord.

Start Learning with All-Access

INSTRUCTORS

Meet Your Instructors

Learn from industry experts with real-world cybersecurity experience.

Anthony Isherwood

My name is Anthony Isherwood. I am a seasoned security professional with past roles in incident response, vulnerability management, SIEM engineering, security architecture, SOC coaching, and consulting. I currently enjoy working as Lead Detection Engineer for a large media company, focusing on detection creation, automation, and adversary emulation.

I have taken red team courses and certs such as TCM’s own Practical Ethical Hacking course, VirtualHackingLabs, and obtained the OSCP. In addtion, I also obtained the GIAC Reverse Engineering Malware GREM certification and have a couple lapsed Comptia certs such as the Security+ and CySA+.

I truly love this field! My goal is to enable others to accelerate their growth and enjoy the field as much as I do.

Outside of my professional work, I enjoy lifting in my home gym or playing some games to unwind at night. I have a beautiful family, a wife and son, who always drive me to be the best version of myself I can be. A special shoutout to my wife, who shouldered extra responsibility as I was developing and creating this course!

FAQS

Common Questions

Here are a couple of our most commonly asked questions, contact us if you don’t find an answer!

Can I get a refund if I'm unhappy with my purchase?

2

3

Yes. All courses come with a 24-hour money-back guarantee.

Will I receive a certificate of completion when I finish a course?

2

3

Yes. All courses come with a certificate of completion.

Do the courses count as Continuing Education Units (CEUs)?

2

3

Yes. Every certificate of completion comes with the total CEUs earned listed on the certificate.

What is the All-Access Membership?

2

3

As of July 1st, 2023 TCM Academy transitioned to a monthly subscription model, where you now receive full access to all of the courses on our platform for as long as your subscription remains active.

What if you already own courses on TCM Academy?

2

3

If you already own a course on our platform, you will continue to own that course. Previously owned courses will not be affected by this change.

I can see the course, but it won’t load or play. What should I do?

2

3

We use Cloudflare to protect our course platform and unfortunately, it does not play nice with VPNs. If you are experiencing issues, turn off your VPN and try again. If that does not solve the issue, please contact our support team at support@tcm-sec.com and we will help you out.

This course is included in our All-Access Membership, starting at $29.99/month.

Get full access to this course and our full course catalog when you enroll in our All-Access Membership.

Choose Your Membership Plan

RELATED COURSES

Continue Your Learning Path

Explore related courses that expand on the skills covered here.