Description

This curriculum spans the design and operationalization of enterprise threat detection programs, comparable in scope to a multi-phase internal capability build involving intelligence integration, detection engineering, and cross-platform orchestration across SIEM, EDR, cloud, and network environments.

Module 1: Threat Intelligence Integration and Sourcing

Selecting between open-source, commercial, and ISAC-provided threat feeds based on timeliness, relevance, and false positive rates.
Establishing automated STIX/TAXII pipelines to ingest and normalize threat indicators from multiple providers.
Implementing risk-based prioritization of IOCs (Indicators of Compromise) by mapping them to organizational attack surface and critical assets.
Designing feedback loops to validate and enrich intelligence with internal telemetry from EDR and SIEM systems.
Managing legal and privacy constraints when ingesting threat data involving PII or cross-border data transfers.
Enforcing access controls and audit logging for threat intelligence repositories to prevent misuse or exposure.

Module 2: SIEM Architecture and Log Source Management

Defining log retention policies that balance forensic needs with storage costs and compliance requirements.
Normalizing and parsing logs from heterogeneous sources using consistent schema mappings (e.g., CIM in Splunk).
Optimizing parsing rules and correlation searches to reduce CPU load and avoid performance bottlenecks.
Establishing thresholds for log source health monitoring to detect agent failures or data gaps.
Integrating cloud-native logging (e.g., AWS CloudTrail, Azure Monitor) with on-prem SIEM deployments.
Implementing role-based access controls (RBAC) to restrict log query and export capabilities by team function.

Module 3: Detection Engineering and Rule Development

Creating detection rules using sigma or YARA-L syntax that minimize false positives while maintaining coverage.
Conducting purple team exercises to test detection efficacy against adversary TTPs from MITRE ATT&CK.
Version-controlling detection rules in Git and applying CI/CD pipelines for testing and deployment.
Weighting detection severity based on asset criticality, exploitability, and business impact.
Rotating and deprecating stale detection rules to reduce alert fatigue and maintenance overhead.
Documenting detection logic and expected triggers to support analyst training and audit readiness.

Module 4: Endpoint Detection and Response (EDR) Deployment

Choosing between agent-based and agentless EDR solutions based on OS coverage and resource constraints.
Configuring EDR sensors to collect process lineage, network connections, and registry changes without degrading endpoint performance.
Defining containment policies that specify automated actions (e.g., isolate host) based on threat confidence levels.
Negotiating data sovereignty requirements when EDR telemetry is routed through third-party cloud platforms.
Integrating EDR alerting with SOAR platforms to enable automated enrichment and response workflows.
Conducting regular EDR agent health audits to ensure coverage across all critical systems and user devices.

Module 5: Network-Based Threat Detection

Deploying network TAPs and SPAN ports to ensure full packet capture without blind spots in encrypted traffic.
Using SSL/TLS decryption selectively to inspect encrypted traffic while complying with privacy regulations.
Configuring NDR tools to baseline normal traffic patterns and flag lateral movement or data exfiltration.
Correlating NetFlow and full packet capture data to reconstruct attack timelines during incident response.
Managing storage costs for full packet capture by applying retention policies based on network segment criticality.
Integrating network detection alerts with firewall and segmentation controls to enable dynamic blocking.

Module 6: Cloud and Identity Threat Detection

Mapping cloud-native logging (e.g., AWS GuardDuty, Azure AD audit logs) to MITRE ATT&CK for cloud.
Establishing detection rules for anomalous sign-ins, such as impossible travel or legacy authentication usage.
Correlating identity provider logs with workload access patterns to detect privilege escalation.
Monitoring for unauthorized changes to IAM policies, service principals, or role assignments.
Implementing anomaly detection thresholds that adapt to normal user behavior using UEBA models.
Securing API keys and service account credentials used by detection tools to prevent compromise.

Module 7: Threat Detection Operations and Workflow Integration

Designing alert triage workflows that assign priority based on detection confidence and asset exposure.
Integrating detection tools with ticketing systems (e.g., ServiceNow) to ensure consistent case management.
Establishing SLAs for alert response times based on severity and operational capacity.
Conducting regular tabletop exercises to validate detection and response coordination across teams.
Measuring detection efficacy using metrics such as mean time to detect (MTTD) and detection coverage gaps.
Rotating detection responsibilities across shifts to prevent analyst fatigue and maintain vigilance.

Module 8: Governance, Compliance, and Continuous Improvement

Aligning detection programs with regulatory frameworks such as NIST, ISO 27001, or PCI-DSS.
Documenting detection capabilities for internal audit and external certification purposes.
Conducting quarterly reviews of detection coverage against updated threat models and business changes.
Managing third-party risk by assessing detection capabilities of cloud providers and managed security services.
Updating detection strategies in response to post-incident reviews and threat landscape shifts.
Establishing a threat detection steering committee to prioritize investments and resolve cross-functional conflicts.