The goal of this program is to provide security professionals with the expertise to select, optimize, and manage SIEM and security analytics platforms for advanced threat detection and analysis:

• SOC Analysts (Tier 2/3).
• SIEM Administrators and Engineers.
• Security Architects.
• Threat Hunters and Detection Engineers.
• Compliance and Audit Specialists.
• IT Operations and Logging Administrators.
• CISO and Security Managers.

• Hands-on labs writing complex SIEM correlation rules using a query language (e.g., Splunk SPL, KQL).
• Group activity designing a log ingestion and normalization architecture for a hybrid environment.
• Technical discussions on the differences between SIEM, Log Management, and Data Lake solutions.
• Case studies on major breaches and the role of SIEM failure in detection.
• Individual assignment creating a detection roadmap mapped to the MITRE ATT&CK matrix.

Unit 1: SIEM Strategy and Architecture

• Defining the business requirements and use cases for a SIEM.
• Comparison of traditional vs. cloud-native SIEM and data lake approaches.
• Key criteria for SIEM selection (scalability, TCO, use case coverage).
• Strategy for log source prioritization and ingestion planning.

• Designing a secure and scalable log collection infrastructure (e.g., agents, syslog, APIs).
• Data parsing, enrichment, and normalization best practices.
• Handling diverse log formats and unstructured data.
• Ensuring log integrity and compliance with retention policies.

Unit 2: Detection Engineering and Rule Creation

• Mapping detection coverage to the MITRE ATT&CK Framework.
• Developing high-fidelity correlation rules and use cases.
• Techniques for detecting multi-stage attacks and lateral movement.
• The role of statistical analysis and baselining in rule writing.

• Strategies for managing false positives and alert fatigue.
• Continuous tuning of correlation rules based on incident feedback.
• Using a risk-based scoring model to prioritize SIEM alerts.
• Developing a formal use case and rule management process.

Unit 3: Security Analytics and Advanced Detection

• Introduction to UEBA and its advantages over signature-based detection.
• Establishing baselines for normal user and device behavior.
• Detecting anomalies: insider threat, compromised accounts, data exfiltration.
• Integration of UEBA output with the SIEM for full context.

• Automating the ingestion and correlation of threat feeds into the SIEM.
• Writing correlation rules based on Indicators of Compromise (IOCs).
• Enriching SIEM events with tactical and operational threat intelligence.
• Measuring the success of TI integration in detection rates.

Unit 4: SIEM Operations and Incident Response Integration

• Health and performance monitoring of the SIEM infrastructure.
• License and cost management for high-volume data ingestion.
• Designing an efficient log search and investigation workflow.
• Best practices for data retention and archival to meet compliance needs.

• Developing clear incident response runbooks based on SIEM alerts.
• Integration of SIEM with Security Orchestration, Automation, and Response (SOAR).
• Automating enrichment and initial containment directly from SIEM alerts.
• Using SIEM data for forensic analysis and post-incident review.

Unit 5: Metrics and Future of Analytics

• Key Performance Indicators (KPIs) for SIEM effectiveness (e.g., rule coverage, false positive rate).
• Operational metrics: Mean Time to Detect (MTTD) and its components.
• Reporting SIEM performance and security posture to executive leadership.
• Justifying SIEM investment through measurable risk reduction.

• The evolution of behavioral analytics using machine learning.
• The role of Artificial Intelligence in automated threat detection.
• Securing data lake-based security analytics platforms.
• Integrating log data from cloud, container, and IoT sources.