Detection Engineering for Windows training


Detection Engineering for Windows training

Detection engineering is a methodology to research, develop and improve your detection capabilities. The Detection Engineering for Windows training brings you up-to-speed in 4 half-day sessions.

Trainers: Olaf Hartong and Henri Hambartsumyan

Registration for this training is closed. We are currently preparing for the next training. Please follow us on LinkedIn or Twitter for new training dates.

Training description:

Building good analytics and automated detection capabilities require a detailed understanding of attackers and their known or expected behavior. By understanding the different tools and techniques used by attackers and what indicators can be extracted, better detection capabilities can be developed. This process is called Detection Engineering and it is a crucial aspect to be truly effective at discovering attackers in your network.

This instructor-led training focuses on the entire detection engineering cycle. Guiding participants in defining a scope, researching the relevant (sub-)techniques, building the detection analytic, investigating which logs can be utilized, and validating the resilience of the analytic against evasion.

The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations. The student is free to decide whether to perform the hands-on exercises using either Splunk or Azure Sentinel. While hands-on exercises focus predominantly on the endpoint, the methodology can be applied to any part of an infrastructure.

To allow maximum flexibility with your busy schedules, we planned the training in 4 consecutive half-day sessions!


Students should be familiar with Windows and have basic PowerShell experience. Furthermore, at least some experience with Splunk or Azure Sentinel and their respective query languages is required. To be able to connect to our lab environment, students should be able to use Microsoft RDP (Remote Desktop Protocol) via the Internet on port 3389 TCP. Last but not least: the training will be facilitated via Discord and Zoom.

Training date & time:

This training is facilitated in 4 half-day sessions - 16 hours total.

Signing up and payment:

Interested in this training? The below link will take you to our event page. We use the TicketTailor platform for ticketing and payments.

Registration for this training is closed. We are currently preparing for the next training. Please follow us on LinkedIn or Twitter for new training dates.

Payments can be done by credit card directly on our TicketTailor event page.

Do you have any questions, inquiries or special requests (signing up multiple people from one company / private and on-site trainings)? Please contact us at

Overview of training contents:

  • Introduction
  • MITRE Caveats
  • Detection engineering principles & theory
  • Information resources and using threat information
  • Understanding your data
  • Developing hypothesis
  • Researching technology and techniques
  • Detection techniques
  • Creating analytics
  • (Open source) tooling
  • Resilient detections
  • Detection improvement and validation

Tools used:

  • Loads of Windows applications
  • PowerShell scripts
  • Splunk / Sentinel
  • Windows 10 Virtual Machine
  • Sysmon