Advanced Detection Engineering training
FalconForce is proud to offer a comprehensive training for security professionals that will help them boost their detection engineering skills. With ample flexibility allowing participants to accommodate the program into even busy schedules, and get hands-on experience with realistic lab exercises, this course provides an unparalleled opportunity.
The instructor-led training focuses on the entire detection engineering cycle. Guiding participants in defining a scope, researching the relevant (sub-)techniques, building the detection analytic, investigating which logs can be utilized, and validating the resilience of the analytic against evasion.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations. The student is free to decide whether to perform the hands-on exercises using either Microsoft Sentinel or Defender for Endpoint. While hands-on exercises focus predominantly on the endpoint, the methodology can be applied to any part of an infrastructure.
Who should take the training
Medior-level detection engineers, SOC analysts, threat hunters, red teamers.
The methodology will enable anyone with a hands-on role in security to learn more to improve the security posture of a company.
The training is offered in a 2-day and 4-day version. They key difference is that the 4-day training will include much more hands-on exercises. The 2-day version of the training can be facilitated in 4 half-day sessions.
After a quick introduction to the field of detection engineering, we will continue with the following topics:
- MITRE ATT&CK.
- Detection engineering principles & theory.
- Information resources and using threat information.
- Understanding your data and developing hypothesis.
- Researching technology and techniques.
- Detection techniques & creating analytics for resilient detections.
- (Open source) tooling.
- Detection improvement and detection validation.
Microsoft Sentinel and Microsoft Defender for Endpoint and Sysmon will be utilized from day 1. Day 2, 3 and 4 of the training are full days of purple detection engineering hands-on lab sessions, focusing on the following MITRE ATT&CK tactics: Initial Access, Privilege Escalation, Lateral Movement, and Persistence.
For each tactic we will be analyzing tools, creating detections, modifying them for evasion, and building resilient detections. Every day has multiple exercises that guide you through the detection engineering methodology. This will enable you to immediately apply the gained skills within your organization.