Course Overview
Detection Engineering for Beginners teaches core concepts and skills to start thinking and working as a Detection Engineer!
This course will first teach the theory behind security operations and detection engineering. We'll then start building out our home lab using VirtualBox and Elastic's security offering. Then we'll run through three different attack scenarios, each more complex than the one prior. We'll make detections off of our attacks, and learn how to document our detections. Next we'll dive more into coding and Python by writing validation scripts and learning out to interact with Elastic through their API. Wrapping everything up, we'll host all our detections on GitHub and sync with Elastic through our own GitHub Action automations. As a cherry on top, we'll have a final section on how to write scripts to gather important metrics and visualizations.
This course takes students from A-Z on the detection engineering lifecycle and technical implementation of a detection engineering architecture.
While this course is marketed as entry level, any prerequisite knowledge will help in the courses learning curve. Familiarity with security operations, searching logs, security analysis, or any related skillset will be helpful (but ultimately not required).
Requirements:
The ability to run 2-3 VMs on a local machine:
* Ubuntu Linux
* ParrotOS
* Windows 11
Minimum Requirements:
CPU Cores: 4
RAM: 8gb
Hard Drive Space: 50GB
Recommended Requirements:
CPU Cores: 6+
RAM: 16GB+
Hard Drive Space: 50GB+
You can technically get by with the main host having only a couple cores and 8 gigs of RAM, but any additional resources that can be assigned to your VMs will make the process smoother.
Learning Objectives:
* Understanding of Security Operations
* Understanding of the various log generating systems that Detection Engineers can use
* Learn how to create ad-hoc offensive tests to generate logs for detection creation
* Learn how to work within a testing framework to generate logs for detection creation
* Understanding how to properly document your detections
* Learn how to write your own code to validate your detection documents
* Learn how to use Python to interact with a SIEM's API to push and pull detection data
* Learn to use GitHub Actions to facilitate all our custom checks and API interactions
* Learn how to write your own code to help create detection metrics
Course Curriculum - 11 Hours
- Elastic Overview (8:57)
- Signing Up for Elastic Trial (3:12)
- Trial Extending and New Trials (3:55)
- Elastic Agent Installation (6:15)
- Confirming Zeek Logging With NMAP (4:45)
- Testing Windows Elastic Agent Logging with EICAR File and PowerShell (10:44)
- Sysmon Overview (2:07)
- Installing and Configuring Sysmon (4:30)
- Testing Sysmon Logging with EICAR File and PowerShell (6:06)
- Improving Our PowerShell Visibility (4:14)
- TOML Overview (6:21)
- Setting up a Development Environment (4:02)
- Reviewing Elastic Rule TOML (4:33)
- Working with the Elastic Detection Rules Repo (7:58)
- Validating TOML Syntax Using Taplo (6:28)
- Creating an Elastic TOML Template (8:40)
- Enforcing TOML Required Fields (17:48)
- Creating a MITRE Object in Python (28:08)
- Working with Multiple TOML Files (10:41)
- Validating MITRE Data in our TOML - Part 1 (14:39)
- Validating MITRE Data in our TOML - Part 2 (14:39)
- Converting and Validating our Detections (6:59)
This course is included in our
All-Access Membership
starting at $29.99/month
Get full access to the Practical Ethical Hacking course and our full course catalog when you enroll in our All-Access Pass Membership.
About the Instructor
My name is Anthony Isherwood. I am a seasoned security professional with past roles in incident response, vulnerability management, SIEM engineering, security architecture, SOC coaching, and consulting. I currently enjoy working as Lead Detection Engineer for a large media company, focusing on detection creation, automation, and adversary emulation.
I have taken red team courses and certs such as TCM's own Practical Ethical Hacking course, VirtualHackingLabs, and obtained the OSCP. In addtion, I also obtained the GIAC Reverse Engineering Malware GREM certification and have a couple lapsed Comptia certs such as the Security+ and CySA+.
I truly love this field! My goal is to enable others to accelerate their growth and enjoy the field as much as I do.
Outside of my professional work, I enjoy lifting in my home gym or playing some games to unwind at night. I have a beautiful family, a wife and son, who always drive me to be the best version of myself I can be. A special shoutout to my wife, who shouldered extra responsibility as I was developing and creating this course!
Courses Included in the All-Access Membership
Frequently Asked Questions
Can I get a refund if I'm unhappy with my purchase?
Yes. All purchases come with a 3-day money-back guarantee.
Will I receive a certificate of completion when I finish a course?
Yes. All courses come with a certificate of completion.
Do the courses count as Continuing Education Units (CEUs)?
Yes. Every certificate of completion comes with the total CEUs earned listed on the certificate.
What is the All-Access Pass?
As of July 1st, 2023 TCM Academy transitioned to a monthly subscription model, where you now receive full access to all of the courses on our platform for as long as your subscription remains active.
What if you already own courses on TCM Academy?
If you already own a course on our platform, you will continue to own that course forever. Previously owned courses will not be affected by this change.