Description

This curriculum spans the technical and operational rigor of a multi-workshop program, addressing the same detection engineering, log management, and incident response challenges encountered in ongoing SOC enhancement projects and cybersecurity advisory engagements.

Module 1: Threat Intelligence Integration in SOC Operations

Selecting and onboarding threat feeds based on relevance to industry-specific threat actors, balancing signal quality against noise and false positives.
Mapping MITRE ATT&CK techniques to internal detection rules to prioritize intelligence-driven use cases.
Establishing automated STIX/TAXII pipelines while managing API rate limits and feed authentication across multiple vendors.
Implementing internal threat intelligence from phishing logs and EDR telemetry, requiring normalization across disparate data sources.
Deciding whether to enrich alerts with threat intelligence in real time or batch mode based on performance impact and detection latency.
Defining ownership and review cycles for threat intelligence tuning to prevent rule decay and alert fatigue.

Module 2: Advanced Detection Engineering with Sigma and YARA

Writing Sigma rules that balance specificity and generality to avoid over-detection on benign activity while capturing novel variants.
Integrating YARA rules into endpoint monitoring systems without degrading system performance or triggering excessive disk scans.
Validating detection logic across multiple operating systems and endpoint agent versions during rule deployment.
Managing version control and peer review for detection rules using Git workflows integrated with SIEM change management.
Converting raw adversary TTPs from incident reports into executable detection logic while accounting for evasion techniques.
Coordinating rule updates with purple team exercises to validate efficacy against simulated attacker behavior.

Module 3: Log Source Onboarding and Normalization

Evaluating log verbosity settings on critical systems (e.g., Windows Event Logging) to balance forensic utility with storage costs.
Designing parsing logic in SIEM to handle inconsistent syslog formats from network devices and third-party applications.
Implementing secure log transport using TLS-encrypted syslog or WinRM with certificate-based authentication.
Resolving timestamp discrepancies across time zones and NTP misconfigurations in log ingestion pipelines.
Handling schema drift when cloud providers update logging formats without backward compatibility.
Establishing SLAs for log delivery and completeness, particularly for SaaS platforms with limited export capabilities.

Module 4: Incident Triage and Escalation Frameworks

Defining escalation thresholds based on IoC confidence, asset criticality, and user role to prevent over-escalation.
Implementing dynamic case prioritization using risk scoring models that incorporate threat intelligence and business context.
Configuring automated enrichment workflows to pull AD, DNS, and EDR data during initial triage without overloading APIs.
Standardizing incident classification codes to ensure consistency across shift rotations and external reporting.
Integrating SOAR playbooks into triage processes while maintaining analyst oversight for complex scenarios.
Managing false positive feedback loops by routing analyst verdicts back into detection tuning processes.

Module 5: Adversary Emulation and Red Teaming Integration

Selecting adversary emulation targets based on active threat intelligence and recent incident trends.
Designing safe execution scopes for red team activities to avoid production impact on critical systems.
Coordinating change windows for red team operations with IT and application support teams.
Mapping red team findings to detection gaps and assigning remediation ownership across security teams.
Using CALDERA or Atomic Red Team to simulate lateral movement while avoiding credential exposure.
Documenting red team rules of engagement to ensure legal and compliance alignment, particularly in regulated environments.

Module 6: EDR Deployment and Response Orchestration

Configuring EDR sensor policies to enable real-time monitoring without degrading endpoint performance.
Defining containment actions (e.g., process kill, network isolation) with appropriate approval workflows to prevent misuse.
Integrating EDR APIs with SIEM and SOAR platforms for automated response playbooks.
Managing EDR agent updates across heterogeneous environments, including legacy systems with compatibility constraints.
Establishing data retention policies for EDR telemetry based on forensic needs and storage budgets.
Conducting regular EDR efficacy testing using controlled malware samples and evasion techniques.

Module 7: Cloud Security Monitoring in Hybrid Environments

Configuring AWS CloudTrail and Azure Activity Log collection with appropriate S3 bucket policies and RBAC controls.
Correlating cloud control plane events with workload-level logs to detect privilege escalation paths.
Implementing detection rules for misconfigured S3 buckets and public Azure blobs using CSPM data.
Handling authentication and log access for multi-account cloud environments using delegated roles and cross-account IAM.
Monitoring for suspicious use of cloud-native tools (e.g., AWS Lambda, Azure Functions) in post-compromise scenarios.
Integrating cloud workload protection platforms (CWPP) with on-premises SIEM for unified visibility.

Module 8: SOC Automation and SOAR Implementation

Selecting high-ROI use cases for automation, such as URL detonation and user lockout resolution, based on volume and predictability.
Designing modular playbooks that can be reused across multiple alert types and integrated tools.
Managing API authentication and credential rotation for SOAR integrations with third-party platforms.
Implementing approval gates for high-risk actions like host isolation or account disablement.
Monitoring playbook execution success rates and error conditions to identify integration failures.
Documenting and versioning playbooks to support audit requirements and team knowledge transfer.