Blue-team detection engineering — how a SOC turns raw logs into alerts. Collect the right log sources, search and correlate them in a SIEM, write vendor-neutral detection rules with Sigma, map coverage to MITRE ATT&CK, hunt proactively, and tune alerts analysts can trust.
Before you start
You will work with logs and detection rules. Practice on your own systems’ logs, or spin up a free SIEM to load data into — Splunk Free, the Elastic (ELK) stack, or Wazuh (open source). Detections are written in Sigma, which converts to any of them.
The SOC & Detection Pipeline
Detection is a pipeline: logs flow in, rules match suspicious activity, alerts flow out to analysts. Understand the flow and the SIEM that runs it before writing a single rule.
Log Sources & Collection
You can’t detect blind. Know which logs matter — authentication, process, network, and cloud — enable the right verbosity, and get them reliably into the SIEM.
Searching & Correlating Logs
Investigation is search. Filter millions of events down to the few that matter, then correlate across sources to turn scattered logs into the story of an attack.
Writing Detection Rules
Turn "I’d recognize that attack" into an automated rule. Sigma is the vendor-neutral language for detections — write once, convert to any SIEM, and share with the community.
Mapping to MITRE ATT&CK
Which attacks can you actually catch? MITRE ATT&CK is the shared map of adversary techniques — use it to measure detection coverage and find your blind spots.
Threat Hunting
Detection waits for a rule to fire; hunting goes looking. Form a hypothesis about how an attacker would operate, search for evidence, and turn what you find into new detections.
Alert Triage & Tuning
Too many alerts is as bad as none — analysts stop trusting a noisy queue. Triage efficiently, ruthlessly cut false positives, and automate the repetitive response steps.