Description

This curriculum spans the design, implementation, and governance of intrusion detection systems across network, host, and cloud environments, reflecting the multi-phase technical and procedural rigor seen in enterprise SOC buildouts and mature detection engineering programs.

Module 1: Threat Landscape and Detection Requirements

Selecting detection priorities based on industry-specific threat intelligence, such as prioritizing ransomware indicators in healthcare versus supply chain attacks in manufacturing.
Integrating external threat feeds with internal telemetry to identify emerging IOCs without overwhelming analyst capacity.
Defining acceptable false positive rates in correlation rules based on SOC staffing levels and escalation workflows.
Mapping detection use cases to MITRE ATT&CK techniques while ensuring alignment with organizational attack surfaces.
Adjusting detection sensitivity for executive accounts versus standard user accounts in identity monitoring.
Documenting regulatory requirements (e.g., PCI DSS, HIPAA) that mandate specific logging and alerting capabilities.

Module 2: Network-Based Intrusion Detection Systems (NIDS)

Positioning inline versus passive NIDS sensors at key network chokepoints like data center egress or cloud VPC peering links.
Configuring packet capture size and retention duration based on available storage and forensic needs.
Managing signature update cycles to balance zero-day coverage with operational stability in production networks.
Tuning Snort or Suricata rules to suppress alerts on known benign traffic patterns, such as backup software protocols.
Handling encrypted traffic by deploying TLS decryption at strategic points while complying with privacy policies.
Validating NIDS visibility across segmented environments, including VLANs and microsegmented cloud workloads.

Module 3: Host-Based Intrusion Detection Systems (HIDS)

Selecting HIDS agents based on OS compatibility and performance impact, particularly for legacy or resource-constrained systems.
Configuring file integrity monitoring to exclude transient directories like /tmp while covering critical system binaries.
Enabling process execution logging without degrading endpoint performance on high-throughput servers.
Centralizing and normalizing HIDS logs from heterogeneous endpoints into a common SIEM schema.
Managing agent update policies to ensure signature and rule consistency across thousands of endpoints.
Responding to HIDS alerts indicating unauthorized registry modifications or suspicious PowerShell usage.

Module 4: Security Information and Event Management (SIEM) Integration

Designing log source onboarding workflows that include parsing validation and field extraction testing.
Developing correlation rules that distinguish between brute force attempts and legitimate password reset storms.
Allocating processing resources for real-time correlation versus batch analytics based on threat criticality.
Establishing retention tiers for raw logs, parsed events, and aggregated alerts to manage storage costs.
Implementing role-based access controls in the SIEM to restrict sensitive data exposure to authorized analysts.
Validating timestamp synchronization across distributed log sources to ensure accurate event sequencing.

Module 5: Detection Engineering and Rule Development

Writing Sigma rules that generalize across multiple log sources while preserving detection accuracy.
Using baselining techniques to detect anomalous outbound connections from servers with stable traffic patterns.
Version-controlling detection rules in Git to track changes and enable rollback during false positive incidents.
Conducting purple team exercises to test detection coverage against simulated adversary TTPs.
Quantifying detection coverage gaps by mapping existing rules to MITRE ATT&CK sub-techniques.
Automating rule testing using synthetic log generators to validate logic before production deployment.

Module 6: Incident Triage and Response Orchestration

Defining escalation thresholds for NIDS alerts based on asset criticality and attacker context.
Integrating SOAR playbooks with ticketing systems to ensure consistent handling of high-fidelity alerts.
Automating containment actions like host isolation only after validating alert confidence levels.
Coordinating response activities across network, endpoint, and identity teams during multi-vector incidents.
Preserving chain of custody for forensic artifacts collected during intrusion investigations.
Conducting post-incident reviews to refine detection logic and update response procedures.

Module 7: Detection Efficacy and Performance Monitoring

Measuring mean time to detect (MTTD) for confirmed breaches using retrospective log analysis.
Tracking false positive rates per detection rule to identify candidates for tuning or deprecation.
Conducting quarterly detection gap assessments using threat emulation frameworks like CALDERA.
Reporting detection coverage metrics to executive stakeholders without disclosing sensitive TTP details.
Optimizing rule execution order in the SIEM to reduce processing overhead for high-volume events.
Revalidating detection rules after major infrastructure changes, such as cloud migrations or AD restructuring.

Module 8: Governance, Compliance, and Cross-Functional Alignment

Documenting detection control mappings for audit purposes, such as aligning rules to NIST 800-53 controls.
Coordinating with legal and privacy teams before enabling user behavior analytics on personal devices.
Establishing change management procedures for modifying production detection rules.
Aligning detection strategy with enterprise risk appetite as defined in board-level risk assessments.
Managing third-party vendor access to detection systems under strict contractual and technical controls.
Integrating detection metrics into cyber insurance risk assessments and renewal discussions.