Build the pipeline to successful defense.
Detection Engineering is the art of building queries and searches that can reliably identify malicious behavior. Whether you are working in an enterprise environment, doing malware research in your lab, or just starting your journey into cyber security, this course can teach you the skills you need.
Together we will learn how to write Sigma rules, a powerful language for crafting detection queries, and seamlessly deploy them into your Splunk SIEM, enabling you to automate and streamline your security operations.
What You'll Learn
Skills
By the end of the course, the learner should have the ability to:
- Read and understand Sigma rules
- Convert rules using the Sigma CLI tool
- Implement the Splunk backend and create scheduled searches
- Implement a custom Splunk application to support Sigma detections
- Build pySigma pipelines to transform generic detections into Splunk queries
- Utilize GitHub to build an automated Detection Engineering ecosystem
- Employ linting and release control techniques on the Sigma rules repository
Concepts
By the end of the course, the learner should understand:
- The value of open source and community driven detection rules
- The relationship between Sigma rules, pySigma pipelines, Splunk conditional searches, and detection events
- How to use pySigma transformations and conditions to build robust and complex SPL queries
- Building a custom and internal Detection Engineering as Code system that starts with making a PR in GitHub with a new Sigma rule and results in a new event generated for future investigation
Prerequisites
While this course does provide an introduction to detection engineering, it is expected that students have practical experience in the following realms:
- Able to read Python
- Understand how to modify and apply existing scripts
- CLI Fluency
- Familiarity with Docker
- Familiarity with Windows Event Logs, including Sysmon
- Experience with GitHub Pull Requests and code change management
- Familiarity with Splunk
