Talk With an Expert

SEC555: Detection Engineering and SIEM Analytics

SEC555Cyber Defense
  • 5 Days (Instructor-Led)
  • 30 Hours (Self-Paced)
Course created by:
Nick Mitropoulos
Nick Mitropoulos
SEC555: SIEM with Tactical Analytics
Course created by:
Nick Mitropoulos
Nick Mitropoulos
  • GIAC Certified Detection Analyst (GCDA)
  • 30 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 18 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Gain hands-on skills in Detection Engineering and SIEM, learning the processes for understanding logs, enhancing existing logging solutions, and creating detection content that fits your needs.

Course Overview

SEC555: Detection Engineering and SIEM Analytics is a hands-on detection engineering training course that teaches students how to design proactive detection strategies and effectively manage SIEM platforms. Through real-world labs and in-depth analysis, participants learn to interpret logs, craft high-quality detection rules, and uncover hidden threats in both cloud and on-premises environments. Whether you're new to detection engineering or looking to sharpen your skills, this course prepares you to extract meaningful insights from complex data and build a more responsive, intelligence-driven Security Operations Center (SOC). It also serves as a valuable preparation path for the GCDA certification (GIAC Cyber Defense Analyst), which validates advanced capabilities in detection engineering and data-driven defense.

What You’ll Learn

  • Build and configure your own detection lab environment
  • Write detection rules to identify adversary behaviors
  • Optimize SIEM architecture for better performance and visibility
  • Perform adversary emulation and analyze related log activity
  • Evaluate security controls using real log data
  • Manage and filter high-volume data from diverse sources
  • Gain expertise in SIEM tools (on-prem and cloud), MITRE ATT&CK mapping, SOAR integration, and detection tracking

Business Takeaways

  • Identify and mitigate threats in near real-time to reduce business risk
  • Evaluate vendors effectively to select the right security partners
  • Prioritize threats based on asset importance and business impact
  • Build a reliable asset database to monitor critical systems
  • Align detection engineering with operational goals
  • Improve alert precision to reduce fatigue and boost efficiency
  • Support collaboration across IT, security, and compliance teams using detection insights

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC555: Detection Engineering and SIEM Analytics.

Section 1Detection Engineering and SIEM Architecture

Section one builds a strong foundation in Detection Engineering and SIEM, covering core concepts, best practices, and modern logging techniques. It prepares students to analyze logs effectively and create agile, scalable detection systems for today’s threat landscape.

Topics covered

  • SIEM Introduction
  • Detection Engineering Life Cycle & SIEM Planning
  • Creating a Detection Lab
  • Log Collection and Enrichment
  • Log Aggregation, Parsing, and Analysis

Labs

  • Using MITRE DeTT&CT to Identify Monitoring Gaps
  • Luring the Attacker with a Honeypot
  • Introduction to SIEM Components
  • Using Abuse IPDB for Data Enrichment

Section 2Network and Endpoint Analytics

This section covers how to collect and enrich logs from key protocols like DNS, SMTP, and HTTP/HTTPS. It also dives into endpoint logs for detecting malicious activity on Windows and Linux systems. Lastly, host-based firewalls and login events are also explored.

Topics covered

  • Network Analysis
  • Endpoint Analysis

Labs

  • Investigating DNS Logs
  • Investigating HTTP Logs
  • Investigating Windows Logs
  • Using auditd

Section 3Baselines and UEBA

This section focuses on methods for maintaining accurate asset inventories and identifying unauthorized devices. Students will learn to combine data sources for a clear network view and gain hands-on experience with baselining and anomaly detection to spot threats like C2 activity or suspicious behavior.

Topics covered

  • Asset Discovery
  • Application Monitoring and Scripting
  • Traffic Monitoring
  • User Monitoring and Baselining

Labs

  • Using inventory data for threat hunting
  • Identifying malicious PowerShell execution
  • Cobalt Strike beaconing detection
  • Detecting Linux credential attacks

Section 4Cloud Logging and Monitoring

This section focuses on building strong cloud visibility across platforms like AWS and Azure. Students will explore key log types, learn to detect attacker activity, and optimize configurations to close monitoring gaps—ensuring effective defense and rapid response in cloud environments.

Topics covered

  • Azure Cloud Logging
  • Microsoft Defender Suite and Copilot for Security
  • Microsoft Sentinel and KQL
  • AWS Cloud Logging

Labs

  • Logging Unauthorized Access to Sensitive Data
  • Defender for Cloud
  • Sentinel and KQL
  • Creating an AWS Lab
  • Configuring and Testing CloudWatch

Section 5In-Depth Alerting, Post-Mortem Analysis, and Capstone Exercise

This section highlights how to centralize and correlate logs from diverse sources to enhance context and prioritization. It also covers building an automated detection engineering pipeline to streamline operations and speed up the creation of effective detections.

Topics covered

  • SIEM Alerting and Analysis
  • Post-mortem Analysis
  • Detection Engineering Pipelines
  • Defend-the-Flag Challenge

Labs

  • Identify Log Gaps and Compare With Sigma Coverage
  • Using VirusTotal for Malware Detection and Removal

Things You Need To Know

Relevant Job Roles

Blue Teamer - All Around Defender

Cyber Defense

This job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Nick Mitropoulos
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,260 USD*Prices exclude applicable local taxesBuy now for access on Oct 15. Use code Presale10 for 10% off course price!
    Registration Options
  • Location & instructor

    Chicago, IL, US & Virtual (live)

    Instructed by Nick Mitropoulos
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Nick Mitropoulos
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Riyadh, SA & Virtual (live)

    Instructed by Mick Douglas
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,375 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Nick Mitropoulos
    Date & Time
    Fetching schedule..View event details
    Course price
    €7,715 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Orlando, FL, US & Virtual (live)

    Instructed by Mick Douglas
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Virtual (live)

    Instructed by Nick Mitropoulos
    Date & Time
    Fetching schedule..View event details
    Course price
    ¥1,335,000 JPY*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Dallas, TX, US & Virtual (live)

    Instructed by Mick Douglas
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Registration Options
Showing 8 of 11

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources