DE0.11 What This Course Builds

The 12-module progression

Figure DE0.11 — Course progression showing cumulative detection rule count. Phase 1 (DE0-DE1) builds foundations. Phase 2 (DE2-DE8) builds 44-52 production KQL rules. Phase 3 (DE9-DE11) tunes, deploys, and validates the complete library.

Phase 1 — Foundations (Free, DE0-DE1)

DE0 (this module) makes the case, introduces the NE Training Universe, and establishes the metrics framework. No production rules — this is context and motivation.

DE1 (Detection Rule Architecture) teaches the mechanics of Sentinel analytics rules — every configuration option, entity mapping, alert grouping strategy, and the rule specification template. After DE1, you understand how rules work. You are ready to build them.

Phase 2 — Building the Detection Library (Paid, DE2-DE8)

DE2 (Threat Modeling for Detection Prioritization) teaches how to decide WHAT to detect. Crown jewel analysis, ATT&CK coverage assessment, risk-based gap scoring, and the 90-day detection roadmap. No production rules — this module produces the prioritized backlog that DE3-DE8 execute against.

DE3 (Detecting Initial Access) — 6-8 production rules. Phishing beyond Safe Links, password spray, token theft, drive-by, removable media, valid account compromise. CHAIN-HARVEST and CHAIN-FACTORY Phase 1 detection.

DE4 (Detecting Credential Attacks and Identity Threats) — 8-10 production rules. Password spray at scale, AiTM session token theft, MFA fatigue, impossible travel tuned for VPN environments, PIM activation anomalies, service principal threats. CHAIN-HARVEST Phase 2, CHAIN-MESH Phase 1, CHAIN-PRIVILEGE Phase 1.

DE5 (Detecting Persistence and Execution) — 8-10 production rules. Inbox rules, scheduled tasks, registry persistence, PowerShell execution, account creation, OAuth app persistence. Persistence detection across all 6 chains.

DE6 (Detecting Discovery and Defense Evasion) — 6-8 production rules. Reconnaissance sequences, LDAP enumeration, security tool tampering, audit log manipulation, configuration change monitoring. CHAIN-MESH Phases 2 and 6, CHAIN-DRIFT core detection.

DE7 (Detecting Collection and Exfiltration) — 8-10 production rules. Email collection, SharePoint bulk access, file share anomalies, USB exfiltration, cloud storage exfiltration, C2 channel exfiltration. Collection and exfiltration detection across all 6 chains.

DE8 (Detecting Lateral Movement and Impact) — 8-10 production rules. RDP lateral movement, WMI execution, Pass-the-Hash, cross-site SD-WAN movement, credential dumping, ransomware pre-encryption NRT rule. CHAIN-MESH Phases 3-7, CHAIN-ENDPOINT Phases 4-7.

Cumulative: 44-56 production KQL detection rules with full specifications (hypothesis, ATT&CK mapping, entity mapping, severity, FP analysis, response procedure, tuning plan).

Phase 3 — Operations and Mastery (Paid, DE9-DE11)

DE9 (Testing, Tuning, and False Positive Management) — no new rules. Tests and tunes the rules from DE3-DE8. Historical validation, threshold optimization, FP classification, watchlist management, and the monthly tuning cadence.

DE10 (Detection-as-Code and Program Operations) — no new rules. Deploys the library via Git + CI/CD. Rule documentation standard, ATT&CK heatmap generation, quarterly coverage reports, sprint cadence, and cross-team collaboration.

DE11 (Capstone — Building the NE Detection Program) — deploys all rules, replays all 6 attack chains, produces the full ATT&CK coverage assessment, runs a simulated triage day (30-40 alerts), and produces the 90-day board report for Rachel (CISO), David (CEO), and Sarah (CFO).

Troubleshooting: “I do not have time for all 12 modules”

The minimum viable path is DE0 → DE1 → DE2 → DE3 → DE4 → DE9. Six modules that produce: the threat model, 14-18 credential and initial access detection rules, and the tuning discipline. This covers the highest-probability attack techniques (credential theft is the entry point for the majority of enterprise attacks) and provides the foundation for expanding later.

The advanced path adds DE5-DE8 for full kill-chain coverage — persistence, discovery, lateral movement, collection, exfiltration, and impact detection. This is the path for organizations that need defense in depth across the ATT&CK framework.

DE10 and DE11 are operational maturity modules. They matter when you have 30+ rules in production and need the governance, automation, and reporting to sustain the program. They can be deferred until the rule library justifies the operational investment.

References used in this subsection

• Course blueprint (module specifications and rule count targets)
• Course cross-references: all modules (DE0-DE11)

The detection program target: 66 rules across 10 ATT&CK tactics

1
2
3
4
5
6
7

// PROGRAM TARGET: After DE0-DE11, this query should return 66+ distinct rule names
SecurityAlert
| where TimeGenerated > ago(30d)
| where AlertName matches regex "^DE[3-8]-"
| summarize AlertCount = count(), LastFired = max(TimeGenerated) by AlertName
| summarize TotalRules = count(), TotalAlerts = sum(AlertCount)
// Target: 66 rules. If this returns fewer: check which rules are missing or disabled.

The 12-module progression

The course is structured as a PROGRESSIVE BUILD — each module adds capability to the detection program:

Phase 1 (DE0-DE1, Free): Establishes the problem (7.2% coverage) and teaches the mechanics (Sentinel analytics rule architecture). The learner understands WHY detection engineering matters and HOW Sentinel rules work. Zero rules built — this is the foundation.

Phase 2 (DE2-DE8, Paid): Builds the complete 66-rule detection library. DE2 teaches the methodology (threat modeling, prioritization). DE3-DE8 build production rules across all 10 ATT&CK tactics relevant to NE’s threat landscape. Each module produces 9-15 deployable KQL rules with full specifications, entity mapping, and FP analysis. The learner deploys rules incrementally — after each module, additional attack chain phases are detected.

Phase 3 (DE9-DE11, Paid): Operationalizes the program. DE9 teaches testing, tuning, and maintenance (the 4.5 hours/month that keeps the program effective). DE10 teaches governance (Git-based rule management, CI/CD, coverage reporting, executive communication). DE11 validates everything through a capstone exercise: all 6 attack chains run against the 66-rule library, the learner triages a full day of alerts, and produces the 90-day board report.

The learner exits DE11 with: 66 production rules, a Git repository with CI/CD pipeline, monthly tuning cadence, quarterly validation schedule, and a board-ready program report. This is not a certification — it is a DEPLOYED capability.

NE environmental considerations

NE’s detection environment includes specific factors that influence this rule’s operation:

Device diversity: 768 P2 corporate workstations with full Defender for Endpoint telemetry, 58 P1 manufacturing workstations with basic cloud-delivered protection, and 3 RHEL rendering servers with Syslog-only coverage. Rules targeting DeviceProcessEvents operate with full fidelity on P2 devices but may have reduced visibility on P1 devices. Manufacturing workstations in Sheffield and Sunderland represent a detection gap for endpoint-level detections.

Network topology: 11 offices connected via Palo Alto SD-WAN with full-mesh connectivity. The SD-WAN firewall logs feed CommonSecurityLog in Sentinel. Cross-site lateral movement generates firewall allow events that correlate with DeviceLogonEvents — enabling multi-source detection that single-table rules cannot achieve.

User population: 810 users with distinct behavioral profiles — office workers (predictable hours, consistent applications), field engineers (variable hours, travel patterns), IT administrators (elevated privilege, broad access patterns), and manufacturing operators (fixed shifts, limited application access). Each user population has different detection baselines.

Integration with the NE detection library

This rule operates within the 66-rule detection library, contributing to NE’s cumulative ATT&CK coverage. The SOC triages alerts from this rule alongside adjacent kill chain detections — correlation across modules transforms individual alerts into attack chain narratives. Monthly health monitoring (DE9.8) ensures this rule maintains its target TP rate as the environment evolves.

This detection contributes to NE’s systematic coverage across the ATT&CK framework, correlating with adjacent-phase rules to identify multi-stage attacks. The monthly tuning review monitors its operational effectiveness.