Talk With an Expert

SEC541: Cloud Security Threat Detection

SEC541Cloud Security
  • 5 Days (Instructor-Led)
  • 30 Hours (Self-Paced)
Course authored by:
Shaun McCulloughRyan Nicholson
Shaun McCullough & Ryan Nicholson
SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection
Course authored by:
Shaun McCulloughRyan Nicholson
Shaun McCullough & Ryan Nicholson
  • GIAC Cloud Threat Detection (GCTD)
  • 30 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 22 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Acquire elite cloud threat detection capabilities to identify, analyze, and respond to sophisticated attacks in AWS and Azure environments.

Course Overview

SEC541: Cloud Security Threat Detection immerses students in hands-on labs that focus on detecting threats and investigating attacks across AWS, Azure, and Microsoft 365 environments. Threat-driven curriculum to equips security professionals with practical cloud threat detection techniques through analyses of real-world attacks.

The course begins with an analysis of real-world case studies, followed by implement detection controls and investigate suspicious activities. From there, you’ll build a detection engineering process, and explore cloud-native logging, API monitoring, and effective detection systems tailored to cloud environments. You’ll also gain exposure to cloud threat hunting strategies that enhance proactive detection and reduce response times.

By the end of the course, you’ll have developed practical skills to detect, investigate, and respond to sophisticated cloud threats. Security professionals will gain expertise beyond theory, implementing cloud threat detection strategies that address the critical differences between on-premises and cloud security monitoring.

What You'll Learn

  • Learn how to build a detection engineering program
  • Analyze cloud API logs to detect unauthorized activity
  • Implement effective cloud-native security monitoring
  • Utilize Azure and AWS detection services effectively
  • Apply threat intelligence and generative AI to cloud security
  • Build automation for incident response in the cloud

Business Takeaways

  • Reduce cloud breach detection time and impact
  • Implement cloud-specific security monitoring strategies
  • Establish effective cloud detection engineering program
  • Enhance visibility across multi-cloud environments
  • Leverage native tooling to minimize security costs
  • Align detection capabilities to actual cloud threats
  • Accelerate incident response with automation

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC541: Cloud Security Threat Detection.

Section 1Detection of Cloud API and Network Attacks

The course begins with an investigation of a real-world cloud attack, breaking down the tactics and demonstrating how to monitor cloud management APIs. You will analyze API logs, implement network monitoring, and develop detection strategies for unauthorized activities in cloud environments.

Topics covered

  • Cloud attack analysis methodology
  • Detecting engineering
  • JSON log parsing techniques
  • Network traffic analysis in cloud
  • Detection strategy implementation

Labs

  • Investigate attacker evasions with CloudTrail
  • Building detections in CloudWatch
  • Deploying and operating a decoy honey network
  • Network Analysis in the Cloud

Section 2Compute and Application Attacks

Students focus on monitoring compute resources including virtual machines, containers, and serverless functions. You’ll then analyze the Tesla Kubernetes attack, implement logging for compute environments, and develop detection strategies for abnormal behavior patterns in cloud workloads.

Topics covered

  • Virtual machine and container logging architecture
  • Metadata service risks and exploitation techniques
  • Kubernetes and container monitoring and investigation
  • Cloud database attack detection and data exfiltration
  • eBPF and log agent customization for threat detection

Labs

  • Threat intelligence generation
  • Enhanced host visibility
  • Kubernetes command and control
  • Cryptojacking cloud services
  • Cloud storage ransomware

Section 3Security Services and Investigations

You’ll learn to implement and leverage cloud-native detection services, discovering the best ways to conduct resource inventory, identify sensitive data in unauthorized locations, and centralize security data for comprehensive threat monitoring across cloud environments.

Topics covered

  • Leveraging CSPM and CWP services in Azure and AWS
  • Cloud resource inventory techniques
  • Detecting cross-account role persistence attacks
  • Data exposure and risk evaluation
  • Analyzing activities across log types

Labs

  • Metadata services and GuardDuty setup
  • Detecting command injection in Lambda
  • Macie configuration for data discovery
  • Inspector deployment for vulnerabilities
  • Centralized logging with ElasticSearch

Section 4Microsoft Ecosystem

You’ll examine Microsoft 365 and Azure-specific detection capabilities and incorporating AI into their security program. This section concentrates on techniques to investigate Exchange attacks, utilize Kusto Query Language for log analysis, and implement Microsoft Defender and Sentinel for comprehensive threat detection in Microsoft cloud environments.

Topics covered

  • Microsoft 365 attack analysis
  • Sentinel strategies and advanced KQL
  • Defender XDR
  • Storage account monitoring
  • Cloud services using AI

Labs

  • Baker221b onboarding and active incidents
  • Suspicious email investigation
  • Authentication attacks and rogue Activities
  • Sherlock's Data Breach
  • Sherlock’s AI Assistant

Section 5Data Shipping, Automation and CloudWars

You will begin by automating incident response in cloud environments and then culminate the course by participating in the CloudWars Challenge. You’ll walk away with strategies to implement automated forensic workflows and develop skills in a capstone exercise designed to test their ability to detect and respond to cloud-based threats.

Topics covered

  • Cloud incident response automation
  • Forensic workflow implementation
  • Detection engineering principles
  • Multi-cloud security integration
  • Threat hunting methodologies

Labs

  • Automated forensics workflow setup
  • Results analysis techniques
  • CloudWars Challenge participation

Things You Need To Know

Relevant Job Roles

Cloud Security Analyst

Cloud Security

Using cloud security solutions to respond to incidents and enable defenses

Explore learning path

Cyber Threat Intelligence Specialist

European Cybersecurity Skills Framework

Collect, process, analyse data and information to produce actionable intelligence reports and disseminate them to target stakeholders.

Explore learning path

Threat Detection & Response

Cloud Security

Monitor, test, detect, and investigate threats to cloud environments.

Explore learning path

Incident Response (OPM 531)

NICE: Protection and Defense

Responsible for investigating, analyzing, and responding to network cybersecurity incidents.

Explore learning path

Cyber Defense Analyst (DCWF 511)

DoD 8140: Cybersecurity

Monitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Shaun McCullough
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Ryan Thompson
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,375 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Copenhagen, DK

    Instructed by Ryan Nicholson
    Date & Time
    Fetching schedule..View event details
    Course price
    €7,715 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Virginia Beach, VA, US & Virtual (live)

    Instructed by Shaun McCullough
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Paris, FR

    Instructed by Ryan Thompson
    Date & Time
    Fetching schedule..View event details
    Course price
    €7,715 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Shaun McCullough
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Denver, CO, US & Virtual (live)

    Instructed by Ryan Thompson
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Dallas, TX, US & Virtual (live)

    Instructed by Shaun McCullough
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Registration Options
Showing 8 of 11

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources