SEC555: Detection Engineering and SIEM Analytics

Overview

Logging and analysis are the foundation of modern cyber defense, enabling both rapid response to threats and proactive identification of adversarial activities. When implemented effectively, they serve as the backbone of agile detection, providing deep visibility into the environment and empowering security teams to stay ahead of attackers. Over the years, logging tools and analysis techniques have evolved significantly, offering enhanced capabilities that are critical for modern detection strategies. This section dives into effective tools and cutting-edge techniques for making sense of logs and elevating traditional logging approaches to meet today’s complex security challenges.

Day one sets the stage by equipping all participants with a solid understanding of Detection Engineering and SIEM fundamentals. It establishes a strong baseline, ensuring students are prepared to engage with advanced concepts throughout the course. Additionally, this foundational day focuses on SIEM best practices, laying the groundwork for building efficient and effective detection systems that align with industry-leading methodologies.

Exercises

• Using MITRE DeTTECT to identify monitoring gaps
• Luring the attacker with a honeypot
• Introduction to SIEM components
• Using Abuse IPDB for data enrichment

Topics

• SIEM Introduction
  • Industry statistics and challenges
  • Why we need a SIEM
• Detection Engineering Life Cycle & SIEM Planning
  • What are the goals of Detection Engineering
  • Detection Engineering Life Cycle
  • Choosing an MSSP
• Creating a Detection Lab
  • Detection lab on premises vs on the cloud
  • Vulnerable machines
  • Adding Honeypots
  • Automating Deployment of cloud labs
• Case Management
  • Adding alert data in incident management tools
  • Examples of incident management and case recording tools
• Log Collection and Enrichment
  • Agent vs agentless vs script log collection
  • What data should be used for enrichment
• Log Aggregation, Parsing, and Analysis
  • Log aggregation
  • Data queueing
  • Using a message broker
  • Searching and alerting on ingested data

Overview

The majority of network communication relies on a handful of key protocols, yet many organizations overlook the value of collecting and analyzing this data. We'll explore methods for gathering logs from services like DNS, SMTP and HTTP servers, as well as passive techniques for extracting the same data directly from the network. You’ll also discover how to enrich and add valuable context to this data during the collection process, making it significantly more actionable.

We will also explore endpoint logs, since they are a goldmine for detecting attacks, offering unparalleled visibility into post-compromise activities. When leveraged effectively, they can outshine other sources of detection. We will focus on the critical "why" and "how" of system log collection. You'll have an opportunity to explore various strategies and tools designed to simplify the collection, filtering, and handling of the vast amount of data generated by servers and workstations.

Exercises

• Investigating DNS logs
• Investigating HTTP logs
• Investigating Windows logs
• Using auditd

Topics

Network Analysis

• SMTP
  • Identify sources of unauthorized email
  • Find compromised mail services
  • Fuzzy matching likely phishing domains
• DNS
  • Finding new domains being accessed
  • Gathering additional information, such as domain age
  • Finding randomly named domains
  • Identifying reconnaissance
  • Finding DNS C2 channels
  • Detecting fast flux and DGA
• HTTP/HTTPS
  • Use large datasets to find attacks
  • Identify automated activity vs user activity
  • Filter approved web clients vs unauthorized ones
  • Find HTTP C2 channels
  • Identify suspicious certificates

Endpoint Analysis

• Windows Logs
  • Understanding value
  • Methods of collection
  • Advanced audit policy
  • Adding additional logging (i.e. Sysmon, Group Policy)
• Linux Logs
  • Common log files
  • Syslog and rsyslog
• Host-based firewalls and Login Events
  • Discover internal pivoting
  • Identify unauthorized listening executables
  • See scan activity
  • Monitor for suspicious connections

Overview

“Know thyself” is a cornerstone of effective defense, yet one of the hardest strategies to achieve. Take, for example, something as seemingly simple as maintaining a complete inventory of all assets in your organization and identifying unauthorized devices on your network. While straightforward in theory, this task becomes daunting in today’s dynamic and ever-evolving networks.

This section tackles this challenge head-on, focusing on automated techniques to maintain an accurate list of assets and their configurations while distinguishing authorized from unauthorized devices. You’ll learn how to identify key data sources that provide high-fidelity information and combine multiple streams of data to create a comprehensive and actionable master inventory.

Beyond inventory, we’ll expand into other aspects of “knowing thyself.” You’ll gain hands-on experience with network and system baselining, learning to monitor network flows and detect anomalies like command-and-control (C2) beaconing or unusual user activity.

Exercises

• Using inventory data for threat hunting
• Identifying malicious PowerShell execution
• Cobalt Strike beaconing detection
• Detecting Linux credential attacks

Topics

• Active and Passive Asset Discovery
  • Vulnerability scanners
  • Network Access Control
  • DHCP
  • NetFlow
  • Switch CAM tables
  • Connection monitoring
• Application Monitoring and Scripting
  • Controlling what runs
  • Software monitoring
  • Long tail analysis
  • PowerShell logging
• Traffic Monitoring
  • NetFlow vs sFlow
  • Flow direction matters
  • Transfer sizes
• UEBA
  • Anomaly analysis
  • Establish user activity patterns
  • Create organizational baselines

Overview

As organizations increasingly migrate to the cloud, achieving comprehensive visibility across platforms has never been more critical. This section emphasizes the importance of cross-vendor expertise in configuring robust cloud monitoring to protect your environment. You’ll explore the various log types available, with a focus on those that can be leveraged to strengthen defenses and streamline incident response.

Through hands-on guidance, you’ll become familiar with the key logging tools in Microsoft Azure and AWS. You’ll also analyze how attackers attempt to bypass cloud security measures, uncovering the traces they leave in logs. Finally, you’ll learn how to optimize log configurations to ensure you capture critical events, leaving no gaps in your cloud monitoring strategy. This knowledge is essential to operationalize defenses and maintain a strong security posture in today’s cloud-driven world.

Exercises

• Logging unauthorized access to sensitive data
• Defender for Cloud
• Sentinel and KQL
• Creating an AWS Lab, configuring and testing CloudWatch

Topics

• Azure Cloud Logging
  • Identify Azure log sources
  • Work with EntraID logs (activity, resource, sign-in and audit logs)
  • NSG Flow log extraction
  • Azure Monitor
  • DCR (Data Collection Rules) and AMA (Azure Monitoring Agent)
• Defender Suite and Copilot for Security
  • Defender for Cloud
    • Logic App configuration
    • Alert creation
  • Defender for Endpoint
    • Deployment
    • Troubleshooting
    • Using the Graph Security API
    • Using Graph Explorer
  • Defender XDR and Copilot Introduction
• Microsoft Sentinel and KQL
  • Sentinel functions and architecture
  • Sentinel tables of interest
  • ASIM and normalization
  • Sentinel playbooks
  • KQL structure
  • KQL language and useful operators
• AWS Cloud Logging
  • AWS log types and services
  • CloudTrail
  • CloudWatch
  • GuardDuty
  • Flow Log extraction

Overview

This section emphasizes the power of integrating security logs from multiple sources for centralized analysis. You’ll learn methods to combine and correlate data streams, adding valuable context that enables analysts to prioritize effectively. In addition, you will understand the importance of establishing and creating an automated detection engineering pipeline to streamline your operations and reduce delays when creating new detections.

Exercises

• Identify log gaps with Attack Navigator
• Using VirusTotal for Malware Detection and Removal

Topics

• Alerts
  • Define custom alerts
  • Fine tune alert thresholds
  • Work with Sigma
  • Investigating alerts
  • Correlate with network data
• Post-mortem analysis
  • Re-analyze network traffic
  • Identify malicious domains and IPs
  • Look for beaconing activity
• Detection Engineering Pipelines
  • Traditional vs automated detection engineering
  • CI/CD detection automation workflow
  • Using LLMs for assisted detection engineering
• Defend-the-Flag Challenge - Hands-on Experience
  • The course culminates in a team-based design, detect, and defend the flag competition
  • Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber defense techniques promoted all week long. From building a logging architecture, augmenting logs, analyzing network logs and system logs, and developing dashboards to find attacks, this challenging exercise will reinforce key principles in a fun, hands-on, team-based challenge.