Track 02 — Defensive Operations¶
Find attackers in the noise and respond before they reach their goal. Detection engineering, SIEM, log analysis, hunting, and incident response — treated as code: telemetry in, tested detections out, mapped to attacker behaviour.
What you'll be able to do¶
- Build a telemetry pipeline from host, network, and cloud into a searchable store.
- Write, test, and version detections mapped to MITRE ATT&CK.
- Hunt proactively across endpoint and network data.
- Triage and drive an incident from alert to root cause.
Modules¶
| # | Module | What you'll learn | OSS tools |
|---|---|---|---|
| 01 | Telemetry & Log Centralisation | What to collect and how to ship it | elastic, fluent-bit, vector |
| 02 | Windows & Endpoint Telemetry | Process/file/auth events worth alerting on | sysmon, wazuh |
| 03 | Linux Telemetry | Auditd and kernel-level visibility | auditd, osquery |
| 04 | Network Security Monitoring | Protocol logs and connection records | zeek, arkime |
| 05 | Intrusion Detection | Signature and anomaly detection on the wire | suricata |
| 06 | SIEM Fundamentals | Indexing, querying, and dashboards | elastic/kibana, wazuh |
| 07 | Log Parsing & Normalisation | Turning raw logs into a common schema | vector, logstash |
| 08 | Detection-as-Code | Writing portable rules in Sigma | sigma |
| 09 | Detection Testing & Tuning | Validating coverage, cutting false positives | Atomic Red Team |
| 10 | ATT&CK Mapping & Coverage | Measuring and closing detection gaps | ATT&CK Navigator |
| 11 | Threat Hunting — Endpoint | Hypothesis-driven host hunting | osquery, velociraptor |
| 12 | Threat Hunting — Network | Hunting across protocol and flow data | zeek, jupyter |
| 13 | PowerShell Logging & Hunting | Script-block/module logging and hunting PowerShell abuse | pwsh, chainsaw, sigma |
| 14 | Alert Triage & Incident Response | A repeatable process from alert to verdict | TheHive |
| 15 | Threat Intelligence | Managing IOCs and enriching detections | MISP, OpenCTI |
| 16 | Response Automation (SOAR primer) | Automating enrich → contain → ticket | Shuffle |
| 17 | KEV-Driven Defense | Operationalise CISA KEV: exploit a current entry, then detect it | Vulhub, sigma |
Phases & projects¶
The modules run in three phases; each ends in a project that integrates its modules.
- Phase 1 · Get the data (01–07) — Project: a working telemetry pipeline that ingests host and network data into a searchable SIEM, with a real attack dataset flowing through it.
- Phase 2 · Find the attacker (08–13) — Project: a set of detections-as-code mapped to MITRE ATT&CK, tested against a real attack dataset, plus one documented threat hunt.
- Phase 3 · Respond & stay current (14–17) — Project: an incident handled from alert to root cause, with an automated enrich → contain → ticket step, plus a KEV-driven coverage loop (exploit a current exploited-in-the-wild CVE and ship the detection for it) — the track capstone.
Standalone by design. Every detection lab here sources a real public dataset (and a generate-it-here option), so you can complete this track without having done Offensive. If you did do Track 01, bring your own attack artifacts instead — same skill.
Prerequisites¶
Complete Track 00 — Foundations first.
Labs use open-source tooling and free sample datasets (Malware-Traffic-Analysis.net, public PCAPs, EVTX-ATTACK-SAMPLES). Only analyse data you're authorised to handle.
Capstone¶
Stand up a telemetry pipeline, simulate an attack (Atomic Red Team or a replayed PCAP), and catch it: ship the logs, write the detection-as-code mapped to ATT&CK, and produce an incident write-up from alert to root cause. Deliverable: the tested detections plus the investigation.
The starter scaffold and acceptance checks live in
plaintext-labs/defensive/capstone/.
Capstone rubric¶
You must catch the attack you simulate and follow it from alert to root cause. Proficient is the bar to ship.
| Dimension | Developing | Proficient | Exemplary |
|---|---|---|---|
| Telemetry pipeline | Logs from one source, not searchable | Host and network telemetry flowing into a searchable store | Pipeline reproducible as code; parsing normalised to a common schema |
| Detection-as-code | A rule that only matches the demo data | A versioned detection (Sigma) mapped to ATT&CK that fires on the simulated attack | Validated against benign data for false positives; tuning rationale documented |
| The catch | Attack ran but wasn't detected | The simulated attack (Atomic Red Team / replayed PCAP) is caught by your detection | Detection catches the technique, not the exact sample — proven on a variation |
| Investigation | Alert noted, no follow-through | Triaged alert → root cause, with the supporting events cited | Full alert→containment narrative; what the attacker did and what they didn't |
| Write-up & automation | Manual, undocumented | A repeatable process and an incident write-up | An automated enrich→ticket step closes the loop; the whole thing re-runs |
AI & automation¶
A small local model triages and classifies log lines cheaply at volume; a frontier model drafts an incident narrative or a Sigma rule. The skill is review: a generated detection with broken logic ships false confidence, and automation that buries a real signal is worse than none. AI authors the rule — you map it to ATT&CK, test it, and own the alert.
Standards & further reading¶
- MITRE ATT&CK and the ATT&CK Navigator
- Sigma rule specification
- NIST SP 800-61 (Incident Handling Guide)
- The Pyramid of Pain
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).