DE0.13 Module Summary
Module summary
This module established the case for detection engineering and introduced the environment you will build against for the rest of the course. Twelve subsections covered the detection gap, how attacks exploit it, the discipline that closes it, the platform and data available, the metrics that measure progress, the organization and attack scenarios, the complete course roadmap, and the lab setup.
What you learned
The detection coverage illusion (DE0.1). Northgate Engineering’s 23 analytics rules cover 15 distinct ATT&CK techniques out of 145 relevant — 10.3% coverage. Detection failure operates on three layers: no rule exists, the rule exists but does not fire on the variant, or the rule fires but the analyst ignores it.
CHAIN-HARVEST walkthrough (DE0.2). A commodity AiTM phishing attack traversed five phases over 3 hours 48 minutes. Zero of 23 rules fired. Same-country proxy, folder-move inbox rule, MailItemsAccessed bulk reads, and internal BEC — each exploiting a specific detection gap.
CHAIN-MESH walkthrough (DE0.3). A ransomware attack crossed three sites via SD-WAN in 2 hours 18 minutes. First alert at Phase 7 — ransomware pre-encryption — after the attacker had domain admin credentials and a backdoor account. Six phases of lateral movement invisible.
The detection engineering discipline (DE0.4). Six-stage lifecycle: hypothesize, design, build, test, deploy, tune. Five maturity levels from reactive to self-improving.
Why vendor detection is not enough (DE0.5). Five categories require custom rules: environmental context, business-logic correlation, crown jewel monitoring, configuration drift detection, and third-party data correlation.
The Microsoft detection surface (DE0.6). Unified KQL query surface. Cross-source joins as single operators. Two mechanisms: Sentinel analytics rules and Defender XDR custom detections.
The data you already have (DE0.7). 20 tables ingested. Rules query 6. Highest-volume unqueried table: AADNonInteractiveUserSignInLogs at 4.8 GB/day — contains the AiTM detection signal.
Measuring what matters (DE0.8). Six metrics: coverage %, MTTD, TP rate, FP rate, rules per analyst, cost per detection. Quarterly report template for leadership.
Northgate Engineering (DE0.9). 810 staff, 11 locations, hybrid AD + Entra ID, M365 E5, 18 GB/day Sentinel ingestion. Server 2016 debt, limited EDR on manufacturing, RHEL without Defender, over-provisioned PIM.
The six attack chains (DE0.10). HARVEST (AiTM/BEC), MESH (ransomware/SD-WAN), ENDPOINT (watering hole/crown jewels), PRIVILEGE (insider/PIM), DRIFT (config change), FACTORY (physical/USB). Each spans multiple modules.
What this course builds (DE0.11). 12 modules, 3 phases, 44-56 production KQL rules. Minimum viable path: 6 modules producing 14-18 rules.
Your detection engineering lab (DE0.12). Three paths: developer tenant, production, or NE baselines. Verification query confirms readiness.
Artifacts produced in this module
| Artifact | Subsection | Purpose |
|---|---|---|
| Coverage assessment baseline | DE0.1 | Measure ATT&CK coverage |
| CHAIN-HARVEST gap analysis | DE0.2 | Map rules against AiTM/BEC phases |
| CHAIN-MESH gap analysis | DE0.3 | Map rules against ransomware phases |
| Maturity assessment | DE0.4 | Assess program maturity (1-5) |
| Rule classification inventory | DE0.5 | Classify vendor vs custom rules |
| Detection surface inventory | DE0.6 | Map data sources and mechanisms |
| Data source detection audit | DE0.7 | Identify unqueried tables |
| Quarterly report template | DE0.8 | Leadership reporting |
| Environment comparison | DE0.9 | Compare your environment to NE |
| Attack chain relevance matrix | DE0.10 | Prioritize chains by environment fit |
| Personal learning plan | DE0.11 | Plan your course path |
| Lab environment checklist | DE0.12 | Verify lab readiness |
What comes next
DE1 (Detection Rule Architecture) teaches the mechanics of Sentinel analytics rules — every configuration option, every field, and the rule specification template. After DE1, you understand how rules work. DE2 teaches what to detect. DE3 starts building production rules.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
You're reading the free modules of Detection Engineering
The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.