Legitimized [SEC555: Detection Engineering and SIEM Analytics] Expert – Led Video Course – MASTERYTRAIL

1. Introduction to Detection Engineering
1.1. Overview of Detection Engineering
1.2. Key Terminology and Concepts
1.3. Importance in Cybersecurity
1.4. Detection Engineering Lifecycle
1.5. Detection Engineering vs. Incident Response
1.6. Use Cases in Organizations
1.7. Typical Challenges
1.8. Roles and Responsibilities
1.9. Regulatory Considerations
1.10. Future Trends

2. Fundamentals of SIEM
2.1. What is SIEM?
2.2. SIEM Architecture
2.3. Core SIEM Components
2.4. SIEM Deployment Models
2.5. SIEM Capabilities
2.6. Log Collection Basics
2.7. Event Correlation
2.8. Alerts and Notifications
2.9. SIEM Limitations
2.10. Key SIEM Vendors

3. Data Sources for Detection
3.1. Host-based Data Sources
3.2. Network-based Data Sources
3.3. Cloud Data Sources
3.4. Application Logs
3.5. Security Appliances
3.6. Identity and Access Management Logs
3.7. Endpoint Detection and Response
3.8. Threat Intelligence Feeds
3.9. Third-party Integrations
3.10. Data Source Prioritization

4. Log Management
4.1. Log Collection Methods
4.2. Log Parsing
4.3. Log Storage Considerations
4.4. Log Retention Policies
4.5. Data Normalization
4.6. Log Enrichment
4.7. Log Integrity and Security
4.8. Metadata Handling
4.9. Troubleshooting Log Collection
4.10. Best Practices in Log Management

5. Detection Use Case Development
5.1. Use Case Identification
5.2. Prioritizing Use Cases
5.3. Mapping to MITRE ATT&CK
5.4. Writing Detection Logic
5.5. Testing Detection Use Cases
5.6. Use Case Documentation
5.7. Use Case Review and Approval
5.8. Use Case Maintenance
5.9. Measuring Effectiveness
5.10. Continuous Improvement

6. Threat Modeling for Detection
6.1. Introduction to Threat Modeling
6.2. STRIDE Model
6.3. Kill Chain Analysis
6.4. MITRE ATT&CK Framework
6.5. Identifying Assets
6.6. Identifying Threat Actors
6.7. Attack Techniques and Tactics
6.8. Modeling Detection Opportunities
6.9. Mapping Threats to Controls
6.10. Threat Modeling Tools

7. SIEM Architecture and Deployment
7.1. SIEM Core Components
7.2. Deployment Topologies
7.3. On-premises vs. Cloud SIEM
7.4. Scalability Considerations
7.5. High Availability (HA)
7.6. Data Ingestion Pipelines
7.7. Performance Tuning
7.8. Network Segmentation
7.9. Integration with Other Security Tools
7.10. SIEM Health Monitoring

8. Detection Content Management
8.1. Content Lifecycle
8.2. Version Control
8.3. Content Sharing and Collaboration
8.4. Content Testing Strategies
8.5. False Positive Management
8.6. False Negative Management
8.7. Content Retirement
8.8. Content Documentation
8.9. Content Governance
8.10. Metrics for Content Effectiveness

9. Writing Detection Rules
9.1. Detection Rule Syntax
9.2. Boolean Logic in Rules
9.3. Aggregation and Thresholds
9.4. Time Windows
9.5. Field Mapping
9.6. Rule Optimization
9.7. Avoiding Rule Overlap
9.8. Rule Deployment
9.9. Testing and Tuning
9.10. Rule Maintenance

10. Alerting and Triage
10.1. Alert Generation
10.2. Prioritization of Alerts
10.3. Alert Enrichment
10.4. Alert Suppression
10.5. Triage Workflows
10.6. Alert Escalation
10.7. Alert Feedback Loops
10.8. Reducing Alert Fatigue
10.9. Tracking Alert Metrics
10.10. Automation in Alert Triage

11. Use of MITRE ATT&CK in SIEM
11.1. Overview of MITRE ATT&CK
11.2. MITRE ATT&CK Structure
11.3. Mapping Detections to ATT&CK
11.4. ATT&CK Navigator
11.5. Gaps Analysis
11.6. Red Team vs. Blue Team Use
11.7. Use Case Development with ATT&CK
11.8. ATT&CK and Threat Intelligence
11.9. Reporting with ATT&CK
11.10. ATT&CK Updates and Maintenance

12. Threat Intelligence Integration
12.1. Threat Intelligence Types
12.2. TI Feed Selection
12.3. TI Ingestion into SIEM
12.4. Contextual Enrichment
12.5. Indicator Management
12.6. Automating TI Use
12.7. TI Sharing Standards
12.8. Use in Detection Rules
12.9. Measuring TI Effectiveness
12.10. TI Operational Challenges

13. Behavioral Analytics
13.1. Introduction to Behavioral Analytics
13.2. User Behavior Analytics (UBA)
13.3. Entity Behavior Analytics (EBA)
13.4. Baseline Creation
13.5. Outlier Detection
13.6. Machine Learning Basics
13.7. Building Behavioral Models
13.8. Integrating with SIEM
13.9. Alerting on Anomalies
13.10. Reducing False Positives

14. Advanced Correlation Techniques
14.1. Correlation Engine Overview
14.2. Multi-event Correlation
14.3. Temporal Correlation
14.4. Sequence-based Correlation
14.5. Statistical Correlation
14.6. Graph-based Correlation
14.7. Case Management Integration
14.8. Correlation Rule Testing
14.9. Performance Impact
14.10. Correlation Rule Maintenance

15. Data Normalization and Enrichment
15.1. Importance of Normalization
15.2. Common Data Formats
15.3. Field Mapping Techniques
15.4. Enriching Data with Context
15.5. Asset Information Enrichment
15.6. GeoIP Enrichment
15.7. Threat Intelligence Enrichment
15.8. User Context Enrichment
15.9. Automation in Enrichment
15.10. Enrichment Best Practices

16. SIEM Analytics and Reporting
16.1. Types of SIEM Reports
16.2. Custom Dashboard Creation
16.3. Key Performance Indicators (KPIs)
16.4. Executive Reporting
16.5. Compliance Reporting
16.6. Visualization Techniques
16.7. Data Export Options
16.8. Scheduled Reporting
16.9. Reporting Automation
16.10. Improving Report Quality

17. Incident Detection and Investigation
17.1. Incident Detection Process
17.2. Role of SIEM in Detection
17.3. Investigation Workflows
17.4. Evidence Collection
17.5. Timeline Analysis
17.6. Threat Hunting Integration
17.7. Root Cause Analysis
17.8. Investigation Documentation
17.9. Handover to Response Teams
17.10. Post-Incident Review

18. Detection Engineering Metrics
18.1. Importance of Metrics
18.2. Detection Coverage
18.3. Detection Accuracy
18.4. Mean Time to Detect (MTTD)
18.5. False Positive Rate
18.6. False Negative Rate
18.7. Alert Volume
18.8. Detection Rule Performance
18.9. Continuous Monitoring
18.10. Metrics Visualization

19. Tuning and Optimization
19.1. Why Tune SIEM?
19.2. Identifying Noise
19.3. Rule Tuning Techniques
19.4. Threshold Adjustment
19.5. Suppression Strategies
19.6. Whitelisting and Blacklisting
19.7. Performance Optimization
19.8. Automated Tuning Tools
19.9. Feedback Loops
19.10. Documenting Tuning Changes

20. Automation in Detection Engineering
20.1. Automation Overview
20.2. Use Cases for Automation
20.3. Automation Tools
20.4. Playbook Development
20.5. Automated Triage
20.6. Automated Response
20.7. Integrating SOAR with SIEM
20.8. Automation Metrics
20.9. Risks of Automation
20.10. Automation Best Practices

21. Detection Engineering in the Cloud
21.1. Cloud Security Challenges
21.2. Cloud-native SIEM Solutions
21.3. Collecting Cloud Logs
21.4. Cloud Identity and Access
21.5. Cloud Workload Protection
21.6. SaaS Application Monitoring
21.7. Multi-cloud Detection Strategies
21.8. Cloud Compliance Monitoring
21.9. Cloud Threat Intelligence
21.10. Cloud Detection Best Practices

22. Endpoint Detection and SIEM
22.1. Role of Endpoint Data
22.2. EDR Integration with SIEM
22.3. Endpoint Telemetry
22.4. Process Monitoring
22.5. File Integrity Monitoring
22.6. Registry and Configuration Monitoring
22.7. Endpoint Use Cases
22.8. Endpoint Alert Correlation
22.9. Endpoint Threat Intelligence
22.10. Endpoint Detection Challenges

23. Network Detection and SIEM
23.1. Network Log Sources
23.2. Flow Data (NetFlow, sFlow)
23.3. Packet Capture Integration
23.4. IDS/IPS Integration
23.5. DNS Monitoring
23.6. Proxy and Web Logs
23.7. Lateral Movement Detection
23.8. Beaconing Detection
23.9. Network Use Cases
23.10. Network Detection Limitations

24. Application Security Monitoring
24.1. Application Log Collection
24.2. Web Application Firewalls
24.3. Application Authentication Monitoring
24.4. API Security Monitoring
24.5. Application Error Detection
24.6. Business Logic Abuse Detection
24.7. Application Threat Intelligence
24.8. Custom Application Instrumentation
24.9. Application Use Case Development
24.10. Application Detection Metrics

25. Identity and Access Monitoring
25.1. Authentication Logs
25.2. Privileged Account Monitoring
25.3. Password Abuse Detection
25.4. Single Sign-On Monitoring
25.5. Federation and SAML Monitoring
25.6. Multi-factor Authentication Monitoring
25.7. Account Creation and Deletion
25.8. Lateral Movement via Accounts
25.9. Identity Threat Intelligence
25.10. Identity Detection Challenges

26. Insider Threat Detection
26.1. Insider Threat Overview
26.2. Insider Threat Indicators
26.3. Monitoring Data Exfiltration
26.4. Privilege Abuse Detection
26.5. Behavioral Analytics for Insiders
26.6. Data Access Monitoring
26.7. Alert Enrichment for Insider Threats
26.8. Case Management
26.9. Insider Threat Use Cases
26.10. Legal Considerations

27. Detection for Ransomware
27.1. Ransomware Kill Chain
27.2. Early Warning Indicators
27.3. Lateral Movement Detection
27.4. Privilege Escalation Detection
27.5. File Encryption Activity
27.6. Command and Control Signatures
27.7. Backup and Shadow Copy Monitoring
27.8. Ransomware Playbooks
27.9. Ransomware-specific Use Cases
27.10. Response and Containment

28. Phishing Detection and SIEM
28.1. Email Log Collection
28.2. Suspicious Attachment Detection
28.3. Link Analysis
28.4. Credential Harvesting Indicators
28.5. User Reporting Integration
28.6. Phishing Playbooks
28.7. Threat Intelligence Integration
28.8. Phishing Simulation Feedback
28.9. Automated Triage
28.10. Metrics and Reporting

29. Detection for Lateral Movement
29.1. Lateral Movement Techniques
29.2. Logon Event Monitoring
29.3. Pass-the-Hash Detection
29.4. Remote Desktop Protocol (RDP) Monitoring
29.5. WMI and PSExec Detection
29.6. Lateral Movement via Admin Tools
29.7. Credential Dumping Detection
29.8. Alert Correlation
29.9. Use Case Development
29.10. Reporting and Metrics

30. Use of Machine Learning in Detection
30.1. ML Basics for Security
30.2. Supervised vs. Unsupervised Learning
30.3. Feature Engineering
30.4. Model Training
30.5. Model Validation
30.6. Integration with SIEM
30.7. Alerting on ML Output
30.8. Limitations and Bias
30.9. Continuous Model Improvement
30.10. ML Use Cases

31. Detection of Advanced Persistent Threats (APT)
31.1. APT Overview
31.2. APT Kill Chain
31.3. Reconnaissance Detection
31.4. Initial Access Indicators
31.5. Persistence Detection
31.6. Privilege Escalation Detection
31.7. C2 Channel Detection
31.8. Exfiltration Detection
31.9. APT Use Case Development
31.10. APT Reporting

32. Use Case Testing and Validation
32.1. Importance of Testing
32.2. Test Plan Development
32.3. Red Team Validation
32.4. Blue Team Validation
32.5. Automated Testing Tools
32.6. Test Data Generation
32.7. Success Criteria
32.8. Documentation of Results
32.9. Remediation of Gaps
32.10. Continuous Validation

33. Incident Response Integration
33.1. Detection and Response Overview
33.2. Alert to Incident Workflow
33.3. IR Playbooks
33.4. Case Management Integration
33.5. Automated Response Actions
33.6. Communication with IR Teams
33.7. Evidence Preservation
33.8. Lessons Learned Process
33.9. Retrospective Analysis
33.10. IR Metrics

34. Threat Hunting and SIEM
34.1. Threat Hunting Overview
34.2. Hypothesis-driven Hunting
34.3. Data Source Selection
34.4. Query Development
34.5. Using SIEM for Hunting
34.6. Hunt Team Collaboration
34.7. Documentation of Hunts
34.8. Hunt Metrics
34.9. Lessons Learned
34.10. Integrating Hunt Findings into Detection

35. Regulatory Compliance and Detection
35.1. Compliance Overview
35.2. Common Regulations (GDPR, HIPAA, PCI)
35.3. Mapping Detections to Controls
35.4. Compliance Reporting
35.5. Audit Trail Requirements
35.6. Data Retention Compliance
35.7. Compliance-driven Use Cases
35.8. Responding to Audits
35.9. Continuous Compliance Monitoring
35.10. Regulatory Change Management

36. Purple Teaming and Detection Engineering
36.1. Purple Teaming Overview
36.2. Collaboration Models
36.3. Attack Simulation
36.4. Detection Efficacy Measurement
36.5. Feedback Loops
36.6. Use Case Improvement
36.7. Lessons Learned
36.8. Reporting Purple Team Results
36.9. Continuous Improvement
36.10. Purple Team Tools

37. SIEM Performance Tuning
37.1. SIEM Performance Metrics
37.2. Bottleneck Identification
37.3. Scaling SIEM Infrastructure
37.4. Data Ingestion Optimization
37.5. Query Performance Tuning
37.6. Storage Optimization
37.7. Load Balancing
37.8. Archival Strategies
37.9. Monitoring SIEM Health
37.10. Performance Tuning Documentation

38. Security Orchestration, Automation and Response (SOAR)
38.1. SOAR Overview
38.2. SOAR Architecture
38.3. Playbook Automation
38.4. SOAR and SIEM Integration
38.5. Case Management
38.6. Automated Response Actions
38.7. Metrics and Reporting
38.8. Human-in-the-loop Automation
38.9. SOAR Challenges
38.10. SOAR Best Practices

39. Data Privacy and Detection Engineering
39.1. Data Privacy Principles
39.2. Data Minimization
39.3. Privacy by Design
39.4. Anonymization Techniques
39.5. Data Masking
39.6. Privacy Impact Assessment
39.7. Privacy Regulations (GDPR, CCPA)
39.8. Consent Management
39.9. Privacy-aware Detection
39.10. Balancing Privacy and Security

40. Security Data Lake and SIEM
40.1. What is a Security Data Lake?
40.2. Differences from SIEM
40.3. Data Lake Architectures
40.4. Data Ingestion Pipelines
40.5. Data Normalization in Data Lakes
40.6. Querying in Data Lakes
40.7. Integrating SIEM with Data Lake
40.8. Use Case Examples
40.9. Cost Considerations
40.10. Data Lake Security

41. SIEM Project Management
41.1. SIEM Project Lifecycle
41.2. Project Planning
41.3. Stakeholder Identification
41.4. Requirements Gathering
41.5. Resource Allocation
41.6. Project Execution
41.7. Risk Management
41.8. Change Management
41.9. Project Metrics
41.10. Project Closure

42. Managing Detection Engineering Teams
42.1. Team Structure
42.2. Role Definitions
42.3. Hiring Strategies
42.4. Skills Development
42.5. Team Collaboration
42.6. Performance Metrics
42.7. Motivation and Retention
42.8. Cross-team Communication
42.9. Remote Team Management
42.10. Continuous Learning

43. Security Analytics Platforms
43.1. Overview of Security Analytics
43.2. Key Features
43.3. Comparison with SIEM
43.4. Data Science in Security Analytics
43.5. Custom Analytics Use Cases
43.6. Integration with SIEM
43.7. Visualization Capabilities
43.8. Vendor Landscape
43.9. Analytics Metrics
43.10. Future of Security Analytics

44. Open Source Tools for Detection Engineering
44.1. SIEM Open Source Overview
44.2. ELK Stack
44.3. Wazuh
44.4. TheHive
44.5. Sigma
44.6. MISP
44.7. Suricata
44.8. Zeek
44.9. Osquery
44.10. Open Source Integration

45. Red Teaming and Detection Improvement
45.1. Red Teaming Overview
45.2. Red Team vs. Blue Team
45.3. Red Team Objectives
45.4. Detection Gaps Identification
45.5. Purple Team Collaboration
45.6. Attack Simulation Tools
45.7. Feedback to Detection Engineering
45.8. Reporting and Metrics
45.9. Continuous Improvement
45.10. Lessons Learned

46. Deception Technologies and SIEM
46.1. What is Deception Technology?
46.2. Honeypots
46.3. Honeytokens
46.4. Deception in Detection Engineering
46.5. Integrating Deception with SIEM
46.6. Alerting on Deception Events
46.7. Use Case Development
46.8. Deception Metrics
46.9. Challenges and Risks
46.10. Deception Best Practices

47. Zero Trust and Detection Engineering
47.1. Zero Trust Principles
47.2. Identity-centric Detection
47.3. Micro-segmentation Monitoring
47.4. Least Privilege Detection
47.5. Zero Trust Architecture
47.6. Integration with SIEM
47.7. Use Case Examples
47.8. Zero Trust Metrics
47.9. Implementation Challenges
47.10. Zero Trust Maturity

48. Detection Engineering Case Studies
48.1. Real-world Ransomware Detection
48.2. Insider Threat Case Study
48.3. Cloud Attack Detection
48.4. APT Attack Detection
48.5. Supply Chain Attack Detection
48.6. Phishing Attack Response
48.7. Detection Rule Optimization
48.8. SIEM Migration Case Study
48.9. Automation in Detection
48.10. Lessons Learned

49. Future of Detection Engineering
49.1. Emerging Trends
49.2. AI in Detection Engineering
49.3. Cloud-native Detection
49.4. Automation and Orchestration
49.5. Privacy-centric Detection
49.6. Quantum Security Impacts
49.7. IoT Detection Challenges
49.8. Regulatory Changes
49.9. Cross-domain Detection
49.10. Skills of the Future

50. Final Review and Exam Preparation
50.1. Key Concepts Recap
50.2. Common Pitfalls
50.3. Practice Questions
50.4. Use Case Walkthroughs
50.5. SIEM Tool Demos
50.6. Metrics Review
50.7. Real-world Scenarios
50.8. Study Resources
50.9. Exam Strategy
50.10. Q&A Session