CyberBlue Detection Engineering
From Log Line to Versioned Rule
From log line to versioned rule — build, test, deploy, and measure detections across SIEM, network, and endpoint.
Course Modules
Module 1: Detection Program Foundations
Understand what detection engineering is, how to design a detection program, and how to use ATT&CK to prioritize what you build.
Module 2: From Evidence to Logic
Master the path from raw log evidence to detection logic — field anatomy, query building, and false positive management.
Module 3: Sigma — The Portable Core
Write, convert, and deploy Sigma detection rules — the vendor-agnostic language that works across every SIEM.
Module 4: Network and File Detections
Extend detection beyond the SIEM — build Suricata network rules, YARA file rules, and combine all three for defense-in-depth.
Module 5: Emulation-Driven Development
Validate detections with atomic tests, build acceptance criteria, and ensure rule changes never silently break coverage.
Module 6: Intel-Driven Detections
Turn threat intelligence into detections — decompose reports, choose IOC vs behavioral approaches, and write structured threat briefs.
Module 7: Automation, Quality, and Deployment
Build validation pipelines, CI/CD workflows, and API-first deployment — ship detections like software.
Module 8: Capstone — Detection Portfolio
Measure coverage, communicate value to leadership, and build a professional detection engineering portfolio.