This module introduces the core concepts of detection engineering and explains how security teams detect malicious activity using logs, events, and telemetry. Students learn the difference between host- and network-based detection, how detection engineering fits into the broader security lifecycle, and why high-quality telemetry is essential for reliable detections. The module also includes hands-on setup of a local lab environment, giving students a practical foundation for generating and analyzing security data throughout the course.
In this module, students focus on detecting malicious activity at the host level by analyzing system telemetry from Windows and Linux environments. The module covers common host-based indicators such as suspicious processes, authentication events, file and registry changes, and persistence mechanisms. Using tools like Sysmon, Auditd, Journald, and Sigma-style logic, students learn how to interpret host logs and write basic detection rules to identify anomalous or malicious behavior.
This module introduces network-based detection by teaching students how to analyze traffic and identify common threats such as beaconing, scanning, and suspicious communication patterns. Students learn the fundamentals of packet capture and flow-based analysis using tools like Wireshark, and are introduced to writing simple network detection rules with Suricata. The emphasis is on understanding attacker behavior on the network rather than memorizing specific signatures.
In this module, students are introduced to SIEM and SOAR as the two foundational components of modern security operations, focusing on how detection engineers use SIEMs to ingest, normalize, correlate, and alert on security telemetry without relying on vendor-specific implementations. The module then positions SOAR as the extension of detection engineering into automation and response, explaining how alerts are enriched, triaged, and acted upon through playbooks, where automation adds value, and where human judgment remains essential, highlighting common pitfalls such as over-automation and fragile response logic.
In the final module, students apply everything they have learned by investigating a simulated phishing-to-malware attack scenario. They analyze host and network logs, design and test detection rules, and document their findings in a clear and structured way. This capstone reinforces the end-to-end detection engineering workflow, from telemetry analysis to detection logic and reporting, and serves as a practical demonstration of the skills developed throughout the course.