Workshop: SOC Detection Engineering Crash Course

Module 1: Architecture and Data Collection

We begin by demystifying the “stack.” Students will set up a cloud-based SIEM and deploy agents to a Windows victim machine. We will cover the flow of data from the endpoint to the analyst’s dashboard and how to verify agent health.

Module 2: The Language of Logs

Before you can detect, you must know how to search. This module covers the essentials of Query Languages. We will move beyond basic keyword searches to structured queries, utilizing Boolean logic and field-specific searching to find the needle in the haystack.

Module 3: The Detection Lifecycle & Research

Detection is science. We introduce the Detection Engineering Process: Research -> Query -> Backtest -> Canary -> Documentation -> Onboarding. We will look at sources for detection ideas (threat reports, CVEs) and how to document them effectively.

Module 4: Building the Logic

Students will construct their first detection rule mapped to MITRE ATT&CK techniques. We will cover rule components, including trigger logic, severity scoring, look-back times, and suppression techniques.

Module 5: Validation with Atomic Red Team

A rule isn’t finished until it’s tested. We will use the Atomic Red Team framework to execute a live attack simulation on our lab VM. Students will verify that their new detection triggers correctly against simulated malicious behavior.

Module 6: Tuning and Maintenance

The work doesn’t end at deployment. We will discuss the “Continuous Improvement” phase. Students will generate benign noise, analyze the alert volume, and implement precise exception logic to tune the rule without blinding the SOC to actual threats.