Autoplay
Autocomplete
Dark Mode
Speed
Previous Lesson
Complete and Continue
Detection Engineering for Beginners
Introduction
Welcome! (7:00)
Theory
Security Operations (11:38)
Role Variety (4:54)
Security Incident and Event Management (7:27)
The Detection Engineering Workflow (14:05)
What Makes a Good Detection (4:18)
Technology Stack for Detection Engineering (17:05)
MITRE ATT&CK Framework (4:33)
Navigating the MITRE ATT&CK Matrix (8:08)
Lab Setup
Lab Overview (3:13)
File Downloads (2:31)
Importing ParrotOS into VirtualBox (4:04)
Importing Windows 11 into VirtualBox (3:09)
Ubuntu VirtualBox Installation (5:18)
Creating a VM Snapshot (2:52)
Disabling Windows Defender (2:26)
Installing Zeek (5:42)
Elastic Setup
Elastic Overview (8:57)
Signing Up for Elastic Trial (3:12)
Trial Extending and New Trials (3:55)
Elastic Agent Installation (6:15)
Confirming Zeek Logging With NMAP (4:45)
Testing Windows Elastic Agent Logging with EICAR File and PowerShell (10:44)
Sysmon Overview (2:07)
Installing and Configuring Sysmon (4:30)
Testing Sysmon Logging with EICAR File and PowerShell (6:06)
Improving Our PowerShell Visibility (4:14)
Attack Scenario 1
Attack Overview (1:30)
Setting up the Attack (6:20)
Performing the Attack (5:01)
Creating our first Query Alert (12:19)
Creating our first Threshold Alert (4:56)
Alert Confirmation (9:15)
Attack Scenario 2
Overview (1:28)
Creating and Executing Attack - Part 1 (6:53)
Creating and Executing Attack - Part 2 (10:51)
Reviewing the Attack (10:28)
Creating Alerts (21:02)
Confirming our Detections (11:35)
Attack Scenario 3
Overview (3:52)
Staging our Attack (16:37)
Creating and Executing our Attack (16:27)
Creating our Detections (23:31)
Confirming our Detections (3:42)
Atomic Red Team
Atomic Red Team Introduction (4:23)
Installation (2:37)
Running our First Atomic (12:19)
Writing our First Atomic (6:35)
TOML
TOML Overview (6:21)
Setting up a Development Environment (4:02)
Reviewing Elastic Rule TOML (4:33)
Working with the Elastic Detection Rules Repo (7:58)
Validating TOML Syntax Using Taplo (6:28)
Creating an Elastic TOML Template (8:40)
Enforcing TOML Required Fields (17:48)
Creating a MITRE Object in Python (28:08)
Working with Multiple TOML Files (10:41)
Validating MITRE Data in our TOML - Part 1 (14:39)
Validating MITRE Data in our TOML - Part 2 (14:39)
Converting and Validating our Detections (6:59)
Elastic API
Introduction (1:05)
Obtaining your API Key (1:58)
Pushing a Sample Rule (7:35)
Writing a TOML to JSON Script (18:59)
GET-ing Our First Rule and Managing Rule IDs (8:12)
Working with our Custom Detections (18:28)
Updating our Custom Detections (4:18)
GitHub
Overview (7:46)
GitHub Actions Introduction (5:24)
Uploading our Detections and Code (6:14)
Creating our TOML Validation Action (11:36)
Enforcing Validation Checks (6:28)
Syncing with Elastic - Part 1 (7:45)
Syncing with Elastic - Part 2 (19:03)
Metrics
Overview (2:02)
Converting our TOML to CSV (16:47)
Converting TOML to MD (16:53)
Converting our TOML to Att&ck Navigator .JSON (14:35)
Creating our Metrics GitHub Action (17:11)
Creating Status Badges (2:14)
Conclusion
Farewell (4:00)
Creating a MITRE Object in Python
Lesson content locked
If you're already enrolled,
you'll need to login
.
Enroll in Course to Unlock