Detection Engineering - Your First Detection Rule, Getting Started in this Cybersecurity Domain 2025

We're taking you from navigating the Windows start menu to triaging Tier 1 SOC Analyst tickets by live stream instructing every piece of content from the pay what you can (PWYC) 400+ hour SOC100 course series over 5 months. Recordings free, and course is minimum $19, suggested $29 with virtual machines provided and lab time. Full playlist: https://youtube.com/playlist?list=PLarzZ7tJk-lF1l2PpqwPJcVAlYkLl6nLh&si=TvuJWlDVeU0r_s99 Full course info 👉 https://www.leveleffect.com/soc100 Stream calendar 🗓️ https://docs.google.com/spreadsheets/d/12WRVm_52PmFkp6Lr8v9v8M1ONcRytOz8zizYBy10LHI/edit?gid=0#gid=0 Stream Details: - Class 32 - Course: SOC100-5 - Domain: Detection Engineering Website: https://leveleffect.com Discord: https://discord.gg/level-effect Twitch: https://www.twitch.tv/leveleffect Newsletter & Blog: https://news.leveleffect.com/ LinkedIn: https://www.linkedin.com/school/leveleffect Timestamps: 00:00:00 - Intro & detection engineering overview 00:05:35 - Range setup, Sigma standard, attack simulation 00:06:07 - Emulating adversary tradecraft, writing Elk detections 00:08:13 - Designing detection logic, event log analysis, pattern matching 00:10:30 - SOC communication, targeted detection vs. blanket alerts 00:12:05 - Managing false positives/negatives, addressing rule brittleness 00:16:12 - Detection lifecycle: use case, research, deployment, metrics 00:20:52 - Custom tooling & threat research, Cyber Kill Chain insights 00:26:16 - Fatal funnel concept, leveraging OS choke points for persistence 00:29:06 - Lab demo: Installing Atomic Red Team, adversary emulation 00:35:03 - Dual roles: integrating detection engineering with threat hunting 00:39:05 - Successful module install, validating Atomic Red Team tests 00:41:28 - Evaluating commercial vs. open-source tools (Snap Attack) 00:43:33 - Configuring persistent PowerShell profile for module loading 00:46:00 - Regression testing & monitoring detection rule performance 00:50:26 - Overcoming rule maintenance challenges, documenting 1400+ rules 00:54:09 - Crafting Sigma rules: YAML format, GUIDs, unbiased descriptions 01:04:21 - Sigma Converter: translating rules to ELK query syntax, field mapping 01:11:01 - Automating rule tests via CI/CD, tracking true/false positive ratios 01:24:28 - Lab exercise: emulating events in ELK, validating query matches 01:32:11 - Optimizing detection queries, filtering by platform for scalability 01:40:26 - Balancing alert volume and triage: minimizing noise effectively 01:44:07 - Building new detection rules in ELK: practical rule creation 01:56:10 - Simulated attack: HTA reverse shell, iterative rule development 02:01:34 - Recap: integrating threat hunting with detection engineering 02:03:06 - Emphasizing team collaboration and continuous improvement 02:05:01 - Final insights: persistence, learning, and delivering business value