SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
SEC555: Detection Engineering and SIEM Analytics
SEC555Cyber Defense
- 5 Days (Instructor-Led)
- 30 Hours (Self-Paced)
Course created by:
Nick Mitropoulos
Course created by:Nick Mitropoulos
- GIAC Certified Detection Analyst (GCDA)
- 30 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 18 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Gain hands-on skills in Detection Engineering and SIEM, learning the processes for understanding logs, enhancing existing logging solutions, and creating detection content that fits your needs.
Featured Quote
SEC555 teaches excellent, pertinent information along with practical, easy-to-follow lab exercises. A tremendously valuable course!
Course Overview
SEC555: Detection Engineering and SIEM Analytics is a hands-on detection engineering training course that teaches students how to design proactive detection strategies and effectively manage SIEM platforms. Through real-world labs and in-depth analysis, participants learn to interpret logs, craft high-quality detection rules, and uncover hidden threats in both cloud and on-premises environments. Whether you're new to detection engineering or looking to sharpen your skills, this course prepares you to extract meaningful insights from complex data and build a more responsive, intelligence-driven Security Operations Center (SOC). It also serves as a valuable preparation path for the GCDA certification (GIAC Cyber Defense Analyst), which validates advanced capabilities in detection engineering and data-driven defense.
What You’ll Learn
- Build and configure your own detection lab environment
- Write detection rules to identify adversary behaviors
- Optimize SIEM architecture for better performance and visibility
- Perform adversary emulation and analyze related log activity
- Evaluate security controls using real log data
- Manage and filter high-volume data from diverse sources
- Gain expertise in SIEM tools (on-prem and cloud), MITRE ATT&CK mapping, SOAR integration, and detection tracking
Business Takeaways
- Identify and mitigate threats in near real-time to reduce business risk
- Evaluate vendors effectively to select the right security partners
- Prioritize threats based on asset importance and business impact
- Build a reliable asset database to monitor critical systems
- Align detection engineering with operational goals
- Improve alert precision to reduce fatigue and boost efficiency
- Support collaboration across IT, security, and compliance teams using detection insights
Meet Your Author
Nick Mitropoulos
Certified InstructorNick has developed advanced detection frameworks and leading SOC resilience strategies across diverse industries. His leadership at Scarlet Dragonfly and contributions to global security standards have fortified defenses against evolving threats.
Read more about Nick MitropoulosCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC555: Detection Engineering and SIEM Analytics.
Section 1Detection Engineering and SIEM Architecture
Section one builds a strong foundation in Detection Engineering and SIEM, covering core concepts, best practices, and modern logging techniques. It prepares students to analyze logs effectively and create agile, scalable detection systems for today’s threat landscape.
Topics covered
- SIEM Introduction
- Detection Engineering Life Cycle & SIEM Planning
- Creating a Detection Lab
- Log Collection and Enrichment
- Log Aggregation, Parsing, and Analysis
Labs
- Using MITRE DeTT&CT to Identify Monitoring Gaps
- Luring the Attacker with a Honeypot
- Introduction to SIEM Components
- Using Abuse IPDB for Data Enrichment
Section 2Network and Endpoint Analytics
This section covers how to collect and enrich logs from key protocols like DNS, SMTP, and HTTP/HTTPS. It also dives into endpoint logs for detecting malicious activity on Windows and Linux systems. Lastly, host-based firewalls and login events are also explored.
Topics covered
- Network Analysis
- Endpoint Analysis
Labs
- Investigating DNS Logs
- Investigating HTTP Logs
- Investigating Windows Logs
- Using auditd
Section 3Baselines and UEBA
This section focuses on methods for maintaining accurate asset inventories and identifying unauthorized devices. Students will learn to combine data sources for a clear network view and gain hands-on experience with baselining and anomaly detection to spot threats like C2 activity or suspicious behavior.
Topics covered
- Asset Discovery
- Application Monitoring and Scripting
- Traffic Monitoring
- User Monitoring and Baselining
Labs
- Using inventory data for threat hunting
- Identifying malicious PowerShell execution
- Cobalt Strike beaconing detection
- Detecting Linux credential attacks
Section 4Cloud Logging and Monitoring
This section focuses on building strong cloud visibility across platforms like AWS and Azure. Students will explore key log types, learn to detect attacker activity, and optimize configurations to close monitoring gaps—ensuring effective defense and rapid response in cloud environments.
Topics covered
- Azure Cloud Logging
- Microsoft Defender Suite and Copilot for Security
- Microsoft Sentinel and KQL
- AWS Cloud Logging
Labs
- Logging Unauthorized Access to Sensitive Data
- Defender for Cloud
- Sentinel and KQL
- Creating an AWS Lab
- Configuring and Testing CloudWatch
Section 5In-Depth Alerting, Post-Mortem Analysis, and Capstone Exercise
This section highlights how to centralize and correlate logs from diverse sources to enhance context and prioritization. It also covers building an automated detection engineering pipeline to streamline operations and speed up the creation of effective detections.
Topics covered
- SIEM Alerting and Analysis
- Post-mortem Analysis
- Detection Engineering Pipelines
- Defend-the-Flag Challenge
Labs
- Identify Log Gaps and Compare With Sigma Coverage
- Using VirusTotal for Malware Detection and Removal
Things You Need To Know
Relevant Job Roles
Blue Teamer - All Around Defender
Cyber DefenseThis job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceRegistration Options
- Location & instructor
Virtual (OnDemand)
Instructed by Nick MitropoulosDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,260 USD*Prices exclude applicable local taxesBuy now for access on Oct 15. Use code Presale10 for 10% off course price!Registration Options - Location & instructor
Chicago, IL, US & Virtual (live)
Instructed by Nick MitropoulosDate & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxesRegistration Options - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Nick MitropoulosDate & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxesRegistration Options - Location & instructor
Riyadh, SA & Virtual (live)
Instructed by Mick DouglasDate & TimeFetching schedule..View event detailsCourse price$8,375 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Nick MitropoulosDate & TimeFetching schedule..View event detailsCourse price€7,715 EUR*Prices exclude applicable local taxes - Location & instructor
Orlando, FL, US & Virtual (live)
Instructed by Mick DouglasDate & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxes - Location & instructor
Virtual (live)
Instructed by Nick MitropoulosDate & TimeFetching schedule..View event detailsCourse price¥1,335,000 JPY*Prices exclude applicable local taxesRegistration Options - Location & instructor
Dallas, TX, US & Virtual (live)
Instructed by Mick DouglasDate & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxes
Showing 8 of 11
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3This course uses real-world events and hands-on training to allow me to immediately improve my organization’s security stance. Day one back in the office I was implementing what I learned.
- Slide 2 of 3The course content is simply incredible, and I will likely be referencing it for years to come! Also, the provided VM is top notch. The labs were really informative.
- Slide 3 of 3Overall, this course taught me so much about using a SIEM. I had limited knowledge and skill on using our Security Onion setup, but this course helped developed them with the techniques and concepts taught. It also told me about tools I didn't know we had in our setup. Everyone I work with is rather new to the defensive cybersecurity realm, so there's been a lot to learn.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources