If you would like information on the status of the SEC555 course, the GCDA certification, or when the SEC555 course may be open for registration please fill out this form.
What You Will Learn
Master the Art of Cyber Defense with Detection Engineering and SIEM Analytics
In a world where cyber threats grow more sophisticated by the day, organizations need skilled defenders who can stay one step ahead. This course is your gateway to mastering Detection Engineering—the craft of designing proactive defenses—and SIEM, the core of modern threat detection and response. Whether you're a Security Analyst looking to upskill or a new Detection Analyst, you'll gain the hands-on expertise to detect and investigate attacks. SEC555 is designed to provide students with training, methods, and processes for enhancing existing logging solutions and promote creation of healthy detection rules to enable proactive monitoring.
Uncover the Secrets Hidden in the Logs
This course dives deep into the "when, what, and why" behind logs, teaching you how to craft precise detection rules, fine-tune SIEM configurations, and analyze real-world scenarios to expose hidden threats, in both on-premises and cloud environments. You'll master the art of building automated alerts, leveraging data analytics, and understanding adversarial tactics to defend against sophisticated attacks. Security operations today face not a "Big Data" problem, but a "Data Analysis" challenge, and this course equips you to extract actionable insights from vast amounts of data.
Through hands-on learning, you'll demystify SIEM architecture and its integration into a fully operational Security Operations Center (SOC). You'll explore how to tailor and manage SIEM platforms effectively, enriching enterprise log data to uncover critical intelligence for crafting powerful detections.
What Is Detection Engineering?
Detection Engineering is the process of designing, implementing, and maintaining a proactive cybersecurity approach that focuses on identifying and responding to potential threats before they cause harm. It involves crafting precise detection rules, optimizing log collection and analysis, and building resilient systems to enhance threat visibility. Detection Engineering is essential for modern security operations, enabling teams to outpace adversaries and safeguard organizational assets effectively.
Business Takeaways
- Reduce business risk by identifying and mitigating threats in near real-time.
- Establish a process of proper vendor evaluation, to choose suitable security partners.
- Prioritize threats based on potential business impact and asset criticality.
- Compile an effective asset database to aid monitoring of critical assets.
- Understand how detection engineering aligns with broader organizational objectives, such as regulatory compliance and operational efficacy.
- Gain insight into the importance of detection precision, to avoid alert fatigue, and operational inefficiencies.
- Explore how detection engineering supports cross-departmental collaboration, with teams like IT, security, and compliance.
- Assess and manage risks effectively by leveraging detection data to inform business-critical decisions.
- Adopt a strategy promoting system scalability.
Skills Learned
- Learn how to create a detection lab.
- Create rules for adversary detection.
- Optimize your SIEM architecture.
- Use tools to perform adversary emulation, so you can review related activity logs.
- Use log data to establish security control effectiveness.
- Simplify the handling and filtering of the large amount of data generated by various devices.
- Gain insight into both on-premises and cloud SIEM tools and log sources.
- Obtain knowledge of MITRE ATT&CK and gain an ability to map detections to specific tactics and techniques.
- Record and monitor detection capabilities across numerous data sources.
- Learn how SOAR optimization can significantly enhance detection engineering and reduce response time.
- Establish baselines, identify trends, and discover outliers, pointing to adversary activity.
Hands-On Detection Engineering Training
The hands-on portion of SEC555 is uniquely tailored to give the students a problem-solving perspective by investigating logs from real incidents, using both on-premises and cloud-based tools. In addition, students will get an opportunity to use tools for automating detection lab deployment, recording incidents and use cases and perform use testing.
Syllabus Summary
- Section 1: Detection Engineering and SIEM Architecture.
- Section 2: Network and Endpoint Analytics.
- Section 3: Baselines and UEBA.
- Section 4: Cloud Logging and Monitoring.
- Section 5: In-Depth Alerting, Post-Mortem Analysis and Capstone Exercise.
What You Will Receive
- Printed and electronic courseware.
- Online Electronic Workbook for all lab exercises.
- ISO files with virtual machines necessary for executing the labs.
- Log data and packet captures from numerous log sources.
What Comes Next?
Depending on your current role or plans, one of these courses is a great next step in your security journey:
- Security Analyst/Intrusion Detection:
- Security Engineer:
- Cloud Security Analyst:
- SOC Leadership
Syllabus (30 CPEs)
Download PDFDetection Engineering and SIEM Architecture
Overview
Logging and analysis are the foundation of modern cyber defense, enabling both rapid response to threats and proactive identification of adversarial activities. When implemented effectively, they serve as the backbone of agile detection, providing deep visibility into the environment and empowering security teams to stay ahead of attackers. Over the years, logging tools and analysis techniques have evolved significantly, offering enhanced capabilities that are critical for modern detection strategies. This section dives into effective tools and cutting-edge techniques for making sense of logs and elevating traditional logging approaches to meet today’s complex security challenges.
Day one sets the stage by equipping all participants with a solid understanding of Detection Engineering and SIEM fundamentals. It establishes a strong baseline, ensuring students are prepared to engage with advanced concepts throughout the course. Additionally, this foundational day focuses on SIEM best practices, laying the groundwork for building efficient and effective detection systems that align with industry-leading methodologies.
Topics
- SIEM Introduction
- Industry statistics and challenges
- Why we need a SIEM
- Detection Engineering Life Cycle & SIEM Planning
- What are the goals of Detection Engineering
- Detection Engineering Life Cycle
- Choosing an MSSP
- Creating a Detection Lab
- Detection lab on premises vs on the cloud
- Vulnerable machines
- Adding Honeypots
- Case Management
- Adding alert data in incident management tools
- Examples of incident management and case recording tools
- Log Collection and Enrichment
- Agent vs agentless vs script log collection
- What data should be used for enrichment
- Log Aggregation, Parsing, and Analysis
- Log aggregation
- Data queueing
- Using a message broker
- Searching and alerting on ingested data
- Service Log Collection
- Using network sensors to collect logs
- SIEM Introduction
Network and Endpoint Analytics
Overview
The majority of network communication relies on a handful of key protocols, yet many organizations overlook the value of collecting and analyzing this data. We'll explore methods for gathering logs from services like DNS, SMTP and HTTP servers, as well as passive techniques for extracting the same data directly from the network. You’ll also discover how to enrich and add valuable context to this data during the collection process, making it significantly more actionable.
We will also explore endpoint logs, since they are a goldmine for detecting attacks, offering unparalleled visibility into post-compromise activities. When leveraged effectively, they can outshine other sources of detection. We will focus on the critical "why" and "how" of system log collection. You'll have an opportunity to explore various strategies and tools designed to simplify the collection, filtering, and handling of the vast amount of data generated by servers and workstations.
Topics
Network Analysis
- SMTP
- Identify sources of unauthorized email
- Find compromised mail services
- Fuzzy matching likely phishing domains
- DNS
- Finding new domains being accessed
- Gathering additional information, such as domain age
- Finding randomly named domains
- Identifying reconnaissance
- Finding DNS C2 channels
- HTTP
- Use large datasets to find attacks
- Identify automated activity vs user activity
- Filter approved web clients vs unauthorized ones
- Find HTTP C2 channels
- Intrusion Detection Systems
- NIDS vs NIPS
- Making sense of the alert data
- Rule metadata
Endpoint Analysis
- Windows Logs
- Understanding value
- Methods of collection
- Adding additional logging (i.e. Sysmon, Group Policy)
- Linux Logs
- Common log files
- Syslog types
- Host-based firewalls
- Discover internal pivoting
- Identify unauthorized listening executables
- See scan activity
- SMTP
Baselines and UEBA
Overview
“Know thyself” is a cornerstone of effective defense, yet one of the hardest strategies to achieve. Take, for example, something as seemingly simple as maintaining a complete inventory of all assets in your organization and identifying unauthorized devices on your network. While straightforward in theory, this task becomes daunting in today’s dynamic and ever-evolving networks.
This section tackles this challenge head-on, focusing on automated techniques to maintain an accurate list of assets and their configurations while distinguishing authorized from unauthorized devices. You’ll learn how to identify key data sources that provide high-fidelity information and combine multiple streams of data to create a comprehensive and actionable master inventory.
Beyond inventory, we’ll expand into other aspects of “knowing thyself.” You’ll gain hands-on experience with network and system baselining, learning to monitor network flows and detect anomalies like command-and-control (C2) beaconing or unusual user activity.
Topics
- Active Asset Discovery
- Vulnerability scanners
- Network Access Control
- Passive Asset Discovery
- DHCP
- NetFlow
- Switch CAM tables
- Identify Authorized vs Unauthorized software
- Asset inventory systems
- Patching management
- Whitelisting solutions
- Process monitoring
- Baseline Data
- Compare expected inbound/outbound protocol
- Find persistence and beaconing
- Establish device-to-device relationships
- Identify lateral movement
- UEBA
- Configure enterprise-wide baseline collection
- Large scale persistence monitoring
- Finding abnormal local user accounts
- Active Asset Discovery
Cloud Logging and Monitoring
Overview
As organizations increasingly migrate to the cloud, achieving comprehensive visibility across platforms has never been more critical. This section emphasizes the importance of cross-vendor expertise in configuring robust cloud monitoring to protect your environment. You’ll explore the various log types available, with a focus on those that can be leveraged to strengthen defenses and streamline incident response.
Through hands-on guidance, you’ll become familiar with the key logging tools in Microsoft Azure and AWS. You’ll also analyze how attackers attempt to bypass cloud security measures, uncovering the traces they leave in logs. Finally, you’ll learn how to optimize log configurations to ensure you capture critical events, leaving no gaps in your cloud monitoring strategy. This knowledge is essential to operationalize defenses and maintain a strong security posture in today’s cloud-driven world.
Topics
- Azure Cloud Logging
- Identify Azure log sources
- Work with EntraID logs (activity, resource, sign-in and audit logs)
- NSG Flow log extraction
- Azure Monitor
- DCR (Data Collection Rules) and AMA (Azure Monitoring Agent)
- Defender Suite and Copilot for Security
- Defender for Cloud
- Logic App configuration
- Alert creation
- Defender for Endpoint
- Deployment
- Troubleshooting
- Using the Graph Security API
- Using Graph Explorer
- Defender XDR and Copilot Introduction
- Defender for Cloud
- Microsoft Sentinel and KQL
- Sentinel functions and architecture
- Sentinel tables of interest
- ASIM and normalization
- Sentinel playbooks
- KQL structure
- KQL language and useful operators
- AWS Cloud Logging
- AWS log types and services
- CloudTrail
- CloudWatch
- GuardDuty
- Flow Log extraction
- Azure Cloud Logging
In-Depth Alerting, Post-Mortem Analysis, and Capstone Exercise
Overview
This section emphasizes the power of integrating security logs from multiple sources for centralized analysis. You’ll learn methods to combine and correlate data streams, adding valuable context that enables analysts to prioritize effectively. By integrating asset data with security alerts, we’ll demonstrate how to maximize analyst efficiency, reduce costs, and focus on addressing the most critical risks.
Topics
- Alerts
- Define custom alerts
- Fine tune alert thresholds
- Work with Sigma
- Investigating alerts
- Correlate with network data
- Post-mortem analysis
- Re-analyze network traffic
- Identify malicious domains and IPs
- Look for beaconing activity
- Identify unusual time-based activity
- Use threat intel to reassess previous data fields such as user-agents
- Utilize hashes in log to constantly re-evaluate for known bad files
- Automated Detection Pipeline
- Detection rule documentation
- Validating rule operation
- Defend-the-Flag Challenge - Hands-on Experience
- The course culminates in a team-based design, detect, and defend the flag competition
- Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber defense techniques promoted all week long. From building a logging architecture, augmenting logs, analyzing network logs, analyzing system logs, and developing dashboards to find attacks, this challenging exercise will reinforce key principles in a fun, hands-on, team-based challenge.
- Alerts
GIAC Certified Detection Analyst
The GIAC Certified Detection Analyst (GCDA) certification proves an individual knows how to collect, analyze, and tactically use modern network and endpoint data sources to detect malicious or unauthorized activity.
- SIEM Architecture and SOF-ELK
- Service Profiling, Advanced Endpoint Analytics, Baselining and User Behavior Monitoring
- Tactical SIEM Detection and Post-Mortem Analysis
Prerequisites
A basic understanding of:
- TCP/IP
- Logging methods and techniques
- Overall operating system fundamentals
Nice-to-haves:
- Logging systems experience (both network and host)
- Command-line activity familiarization
- Detection engineering and/or SIEM tool exposure
Laptop Requirements
Important! Bring your own system configured according to these instructions.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.
Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.
Mandatory SEC555 System Hardware Requirements
- CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
- CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
- 16GB of RAM or more is required.
- 50GB of free storage space or more is required.
- At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
- Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
Mandatory SEC555 Host Configuration And Software Requirements
- Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
- Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
- Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
- Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
- Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
- Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
- On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
- Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.
Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.
Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.
If you have additional questions about the laptop specifications, please contact customer service.
Author Statement
"Working in security for over two decades, you begin to see the core challenge Security Operations teams are facing: it's not just about tools or processes—it's about mindset. The reactive nature of our industry keeps us a step behind adversaries, focusing too heavily on post-intrusion actions. The truth is simple: While prevention is ideal, detection is essential. SEC555 is designed to transform how you approach detection by teaching you to build a foundation for optimizing your logging and SIEM capabilities. By doing so, you'll shift from reactive firefighting to proactive threat visibility, enabling you to detect and respond to threats before they escalate. It’s about turning the tables and taking control of your environment early, rather than scrambling to implement use cases after an attack has already occurred.
This course is crafted to empower security professionals to not only master the technical intricacies of SIEM tools and detection frameworks but also to understand their broader business implications. By focusing on practical, hands-on learning, participants will gain actionable skills to identify, investigate, and mitigate threats effectively while aligning their efforts with organizational objectives.
From log analysis to leveraging frameworks like MITRE ATT&CK, this course integrates industry best practices and real-world scenarios to ensure relevance in today’s dynamic threat landscape. Whether you’re a seasoned SOC analyst, a security architect, or a threat hunter, this course equips you with the knowledge and tools to design scalable, efficient, and impactful detection systems. My hope is that every participant leaves not only with enhanced technical expertise but also with a deeper appreciation of how their role contributes to safeguarding their organization in an ever-evolving digital world.