Skip to main content
Image coming soon

The Bank SOC Analyst Detection Engineering Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Bank SOC Analyst Detection Engineering Playbook

Move from alert triage to authored detections that survive FFIEC examiner review and CISO quarterly attestation.

Your queue clears every shift, but if an examiner asked who wrote the rule that flagged the wire-fraud staging behaviour at 03:14, the honest answer is a vendor content pack last tuned in a different bank.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A bank SOC analyst is graded on alerts handled and mean time to acknowledge, but the question the examiner and the CISO actually care about is detection quality: which behaviours we cover, which we deliberately accept the risk on, and how we evidence that the coverage is current. Most analysts inherit a SIEM full of vendor rules nobody on the team authored. When examiners ask for a rationale, the trail goes cold. The skill the role needs now is the ability to author detections, justify them against an ATT&CK-grounded coverage map, peer-review them through a detection-as-code workflow, and produce the artefacts that satisfy FFIEC IT exam scope. That is the path from triage analyst to detection engineer inside the same bank SOC.

What you walk away with

  • Author detections you can defend in writing to an examiner and a CISO.
  • Build an ATT&CK and D3FEND coverage map tied to your bank's actual threat profile.
  • Run a detection-as-code review that catches false-positive blast radius before merge.
  • Produce FFIEC-aligned detection efficacy evidence on a quarterly cadence.
  • Move from triage analyst posture to detection engineer track inside the same SOC.

The 12 modules

Module 1. Bank threat profile and detection scope
Translate the bank's actual threat picture (wire fraud staging, ACH manipulation, account takeover, insider data exfiltration, third-party fintech integration risk) into a written detection scope document. Map the scope against the SOC's licensed data sources and identify the visibility gaps before any rule is written. This is the document examiners ask for first.
Module 2. ATT&CK coverage mapping for a US bank SOC
Build a living MITRE ATT&CK coverage map for the bank. Score each technique with current detection state, data source confidence, and false-positive history. Include enterprise, mobile, and the financial-services attack patterns relevant to wire transfer and ACH systems. The map becomes the artefact CISO and audit reference quarterly.
Module 3. Detection authoring fundamentals in SPL, KQL, and YARA-L
Author detections in the three SIEM languages the role most often touches. Cover entity resolution, time-window logic, threshold versus anomaly approaches, and the trade-off between precision and recall. Every rule written includes a documented hypothesis, expected true-positive shape, and known false-positive surface.
Module 4. Detection-as-code review workflow
Stand up a Git-backed detection-as-code repository with branch protection, mandatory peer review, automated unit tests against historical bank data, and a deployment pipeline that records who approved which rule and when. The workflow is the evidence trail FFIEC examiners want, and it is the discipline that turns analyst output into engineering output.
Module 5. MITRE D3FEND mapping for in-place bank controls
Map the bank's existing detective and protective controls (EDR, network sensors, DLP, identity behavioural analytics) onto the MITRE D3FEND defensive taxonomy. Identify dependency chains and single points of failure. The mapping is referenced when authoring new detections so you know which control already covers a behaviour and which does not.
Module 6. Wire fraud and ACH detection patterns
Author detections for the patterns that matter most to a US bank: anomalous wire amount and destination, off-hours initiator sessions, ACH file modification on the originator side, dual-control bypass, and the behavioural signatures of socially engineered wire fraud. Each detection ships with a documented investigative runbook for the next analyst on shift.
Module 7. Identity, M365, and Entra ID detection
Author detections for the identity layer that increasingly carries the breach. Coverage for impossible travel done right (not just geolocation), token theft, persistence via OAuth application consent, privileged role assignment outside change windows, and the M365 audit events that signal a compromised mailbox preparing a wire-fraud message.
Module 8. Insider risk and data exfiltration detection
Author detections that distinguish nuisance policy violations from genuine pre-resignation data theft. Combine DLP signals, badge and VPN session anomalies, repository clone patterns, and email-to-personal patterns into composite detections. Document the privacy and HR-handoff process so the detection survives legal review.
Module 9. Suppression list and tuning discipline
Treat every suppression as a written exception with an owner, an expiry date, and a re-evaluation trigger. Stand up a suppression-review cadence. The discipline is what stops vendor content packs from silently going stale and is what an examiner specifically looks for when they audit detection efficacy.
Module 10. Incident retrospective and detection feedback loop
Write incident retrospectives that produce new detections, not just lessons learned. Cover the format the CISO can read in three minutes, the timeline reconstruction that supports regulator notification, and the detection backlog that feeds module four's review workflow. The retrospective is the bridge between response and engineering.
Module 11. FFIEC IT exam evidence and detection efficacy reporting
Produce the detection efficacy evidence pack FFIEC examiners ask for: coverage versus the threat profile, detection authoring and review provenance, false-positive and false-negative trend analysis, suppression hygiene, and quarterly attestation by the CISO. Includes the four-page report template that satisfies the IT Examination Handbook expectations.
Module 12. Detection engineer career path inside the bank
Frame the move from triage analyst to detection engineer as an internal track. Cover the conversation with the SOC manager, the artefacts to surface in quarterly reviews, the certifications that materially help (and which do not), and how to position the work so the next role inside the same bank is detection engineering or threat hunting rather than another analyst seat.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The examiner asks who authored the rule that fired at 03:14 and the SOC cannot produce a name or date.
The CISO asks for quarterly detection efficacy evidence and the team scrambles together a spreadsheet.
Vendor content packs have not been tuned for the bank's actual data sources and silently miss wire-fraud staging behaviour.
A talented analyst wants the next role to be detection engineer but the bank has no documented internal path.

What you get with this course

  • ATT&CK coverage map template scoped to a US bank SOC
  • Detection-as-code repository scaffold with peer-review workflow and unit-test harness
  • Twelve worked detections in SPL, KQL, and YARA-L with documented hypotheses and false-positive surfaces
  • FFIEC IT exam evidence pack template and four-page detection efficacy report
  • Suppression-list register template with expiry and owner fields
  • Incident retrospective format the CISO can read in three minutes
  • Hand-built implementation playbook tailored to your SIEM, data sources, and threat profile

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours: course access provisioned and the hand-built implementation playbook delivered alongside it.

Week 1: bank threat profile, detection scope document, ATT&CK coverage map baseline.

Weeks 2 to 4: detection-as-code workflow stood up, first six authored detections through peer review.

Weeks 5 to 8: identity and wire-fraud detection coverage, insider-risk composites, suppression discipline.

Weeks 9 to 12: FFIEC evidence pack assembled, detection engineer career conversation prepared.

Before and after

Before

You clear the queue every shift on detections written by someone else, in a different bank, two rotations ago. When the examiner or CISO asks why a rule exists, the answer is "vendor content pack".

After

Every detection in your shift has a documented author, hypothesis, coverage justification, and review trail. The quarterly detection efficacy report writes itself, and the conversation with the SOC manager about a detection engineer track has the artefacts to back it up.

What happens if you do not address this

FFIEC IT exam scope on detection efficacy is tightening, and bank SOC analysts who cannot evidence authored detections get sidelined when the function reorganises into detection engineering and threat hunting roles. The role that survives is the one with the authored artefacts on file.

Who it is for

Security analysts inside a US bank or bank holding company SOC. Sitting on a Splunk, Sentinel, or Chronicle queue. Comfortable with KQL or SPL but new to authoring detections end-to-end. Reporting up through a SOC manager into a CISO function that has to attest to detection efficacy each quarter and respond to FFIEC IT examination findings. Wants the next role to be detection engineer or threat hunter rather than another lateral analyst seat.

Who this is NOT for. Not for greenfield SOC builders, not for managed-service provider SOC analysts whose detections are dictated by a parent SOC, and not for analysts whose SIEM is being deprecated this quarter.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly four to six hours per week across twelve weeks. Built so a working bank SOC analyst can complete it alongside a normal shift rotation.

Why $199 is the right number

SANS detection-engineering tracks cover the craft well but cost multiples of this and are not scoped to a US bank's FFIEC exam reality. Vendor certifications credential the SIEM but do not produce the audit-grade evidence pack. Free MITRE resources are foundational but leave the bank-specific translation, the FFIEC framing, and the internal career conversation to the analyst to figure out alone.

FAQ

Does this assume my bank already uses ATT&CK?
No. Module two covers building the coverage map from scratch, and the template works whether the SOC currently references ATT&CK or not.
Which SIEM does this assume?
Worked examples ship in SPL, KQL, and YARA-L so the course is useful whether the bank runs Splunk, Sentinel, or Chronicle. The detection logic is portable across all three.
Will this conflict with my SOC manager's existing process?
The detection-as-code workflow is designed to wrap an existing SIEM, not replace it. The module on the internal career conversation includes a one-page brief you can take to your SOC manager before adopting any of the artefacts.
Is the implementation playbook generic or tailored?
Tailored. Within 24 hours of purchase the playbook is hand-built against your stated SIEM, data sources, and the parts of the bank threat profile you flag as priority.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!