Sign In
Detection Engineering

For Security Engineers and Detection Engineers Building Detection Programs in Microsoft Sentinel and Defender XDR

Aligned to MITRE ATT&CKSigma rulesCISA KEVMandiant tradecraft

Detection Engineering

Write detection rules that catch real attacks and survive production.

Build a detection engineering program from threat model to deployed rule. Prioritize techniques using crown jewel analysis, write Sigma and KQL detection rules against real attacker telemetry, test rules with synthetic and live data, tune false positives systematically, and operate a detection-as-code pipeline. You finish with 71 production rules deployed, an ATT&CK coverage map, and the methodology to take any technique and ship a validated detection.

Start Free — No Account Needed See Full Curriculum + Pricing

Text-based · Persistent labs on your own hardware · 2 free modules available now · 40 CPE credits · Content last updated: May 2026

What you'll deploy
71 production KQL detection rules + 6 full ATT&CK-mapped attack chains
Complete detection lifecycle from hypothesis to automated response
Detection-as-code workflows with version control and CI/CD patterns
Custom analytics rules tuned for your environment with false-positive baselines
ATT&CK coverage heatmap showing exactly where your gaps are
Deployable Sigma rules convertible to KQL, SPL, and Elastic
DETECTION ENGINEERING — ATTACK CHAIN COVERAGE CHAIN-HARVEST AiTM → BEC → Financial fraud 5 detection points: phishing, token theft, inbox rule, email collection, wire fraud CHAIN-MESH Ransomware via SD-WAN lateral movement 7 detection points: VPN compromise to pre-encryption indicators CHAIN-ENDPOINT Watering hole → Cobalt Strike → crown jewels 7 detection points: drive-by, beacon, LSASS, PtH, recon, file share, C2 exfil CHAIN-PRIVILEGE Insider PIM abuse → app registration persistence 5 detection points: role activation, app creation, mailbox access, exfil, cover tracks CHAIN-DRIFT Config change exploit 4 points: CA gap → spray → persist → exfil CHAIN-FACTORY Physical USB theft 5 points: USB → exec → recon → copy → exfil 71 rules 6 attack chains 13 modules 30-40 hours From 10% ATT&CK coverage → defensible, risk-prioritized detection
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Build a detection engineering program from threat model to deployed rule
Write Sigma and KQL detection rules against real attacker telemetry
Test and tune rules to achieve acceptable false positive rates
Operate a detection-as-code pipeline with version control and peer review
Measure and report detection coverage using ATT&CK mapping

Course Agenda

Free Phase 1 — Foundations

DE0
What Is Detection Engineering
 DE1
Detection Rule Architecture in Microsoft Sentinel

Phase 2 — Detection Library

DE2
Threat Modeling for Detection Prioritization
 DE3
Detecting Initial Access
 DE4
Detecting Credential Attacks and Identity Threats
 DE5
Detecting Persistence and Execution
 DE6
Detecting Discovery and Defense Evasion
 DE7
Detecting Collection and Exfiltration
 DE8
Detecting Lateral Movement and Impact

Phase 3 — Operations

DE9
Testing, Tuning, and False Positive Management
 DE10
Detection-as-Code and Program Operations
 DE11
Capstone — Building the NE Detection Program
 DE12
AI-Accelerated Detection Engineering

Resources

Detection Engineering — Operational Reference

Course at a glance

You start with template rules you inherited — enabled from Content Hub, never examined, never tested against the attacks that actually target your environment. You finish owning a detection program where every rule exists because your threat model says it should, every rule has been tested against realistic attack chains, and you can prove to your CISO exactly which techniques you detect and which remain as accepted risk.

What you'll build: 71 production KQL detection rules — each specified, built, tested against 6 multi-phase attack chains, and tuned for your environment. A detection-as-code pipeline with Git and CI/CD. A coverage measurement system that quantifies your detection program's effectiveness. The 90-day board report that justifies continued investment.

13 modules · 40 CPE credits · Self-paced at ~5 hrs/week

Typical pace: ~5-10 weeks at 5 hrs/week

Hands-on labs: 10 interactive (browse all →)

MITRE ATT&CK coverage: 138 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements, deploying security controls and managing Governance, Risk and Compliance operations.

The detection rules in this course are grounded in that operational work. The techniques, thresholds, false positive patterns, and tuning decisions are drawn from real detection engineering programs, adapted for training.

The outcome

You start with template rules you inherited. You finish with a detection program you built.

71 production detection rules — tested, tuned, entity-mapped, and deployed with automated response.

ATT&CK coverage from 7% to defensible — measured, prioritized, and reportable to leadership.

A detection-as-code pipeline — Git, CI/CD, pull request review, sprint cadence.

The 90-day board report — the metrics that justify continued investment in detection engineering.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy detection rules from this course in your organization's production Sentinel workspace. You may not redistribute course content, share account credentials, or republish course materials.

Detection rules: All KQL detection rules are provided as-is for deployment in your environment. Test every rule against your environment's data before enabling in production. Thresholds, entity mappings, and exclusions require environment-specific tuning. Ridgeline Cyber Defence is not responsible for false positives, false negatives, or operational impact from deployed rules.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental. IP addresses use RFC 5737 documentation ranges.

Lab Pack — Detection Engineering Toolkit

This course includes a downloadable lab pack covering the full detection engineering lifecycle — not just KQL. The generator creates realistic-volume evidence data across 8 Sentinel tables with all 6 NE attack chains buried in 14 days of legitimate noise, plus detection rules in 6 formats, a Sysmon configuration, threat model artifacts, and program management templates.

Evidence data (~3,500 entries): SigninLogs, AuditLogs, EmailEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, SysmonEvents — all with attack indicators hidden in baseline noise.

Detection rules (6 formats, ~80 files): 10 KQL rules (individual files with full metadata), 10 Sigma rules (convert to Splunk/Elastic/Sentinel with sigma-cli), 5 YARA rules (implants, web shells, C2 configs), 30+ auditd rules by tactic, 7 Suricata rules (C2, mining, lateral, exfil), 7 Velociraptor VQL hunts.

Program artifacts: ATT&CK coverage matrix (30 techniques), NE threat profile, detection-as-code Git structure with metadata, FP register with classification guide, 3 tuning case studies, Atomic Red Team test mapping, Sysmon config (SwiftOnSecurity + NE).

Evidence analysis: Open CSV files in Timeline Explorer by Eric Zimmerman — column names match Sentinel table schemas.

Detection Engineering Lab Pack
~80 files · 6 rule formats · ~3,500 evidence entries · Sysmon config · ATT&CK coverage matrix
Download Lab Pack (.zip)

Version and changelog

Current version: 2.0  |  Last updated: April 2026

April 2026 — v2.0: Lab pack rebuilt with full detection engineering scope: 6 rule formats (KQL, Sigma, YARA, auditd, Suricata, VQL), Sysmon events and config, ATT&CK coverage matrix, threat profile, detection-as-code structure, FP register, tuning case studies, Atomic Red Team mapping. Prerequisites updated for advanced positioning. Inclusive audience statement added.

2026 — v1.0: Course launch. 13 modules (DE0-DE12). 71 production KQL detection rules. 6 attack chains. Interactive components.

This course is actively maintained. Detection rules are updated as the Microsoft security platform evolves and new attack techniques emerge.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
3scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.