Module 2: From Evidence to Logic

Master the path from raw log evidence to detection logic — field anatomy, query building, and false positive management.

Tools:Wazuh
3
Lessons
2
Hands-on Labs

Lessons & Labs

Lesson 2.1 — Log Anatomy for Detection

Understanding field structures, normalization, parsing — the raw material of every detection rule.

Lab 2.1 — From Evidence to DQL Query

Analyze raw alert fields in the shared Wazuh environment, build detection queries from evidence, and validate that they match the expected events.

Intermediate

Lesson 2.2 — Building Detection Logic

From observable to hypothesis to query to rule — the detection engineering workflow.

Lab 2.2 — Tuning a Noisy Rule

Investigate a high-volume rule in the shared Wazuh data, separate true positives from false positives, and build exclusion filters that preserve detection coverage.

Intermediate

Lesson 2.3 — False Positive Management

Baselining, whitelist strategies, tuning without losing coverage.