Cyber RangeATCCybersecurity Risk & StrategySecurity
Learning path
Coming Soon

Threat Detection and Incident Response: Precision in Practice

Skill Level
Intermediate
Duration 4 hours 20 minutes
Updated Apr 29, 2025

About this learning path

This intermediate learning path builds on the fundamentals by equipping SOC analysts with the skills to investigate early-stage attacks using XDR, correlate endpoint and network telemetry, and respond with precision. Through hands-on labs featuring CrowdStrike Falcon, Security Onion, and SOAR automation, learners will detect fileless malware, analyze identity-based threats, contain credential abuse, and fine-tune noisy detections — all while thinking and acting like a Tier 2 analyst in a real-world SOC environment.

Your instructors

Kendall AhernWorld Wide TechnologySolutions Development Intern
Shoaib Mohammed ShahapuriWorld Wide TechnologyTechnical Solutions Architect

Prerequisites

  1. ✅ Completed the Threat Detection and Incident Response Essentials learning path, or possess equivalent foundational knowledge
  2. ✅ Basic understanding of endpoint security concepts, including malware execution, PowerShell abuse, and phishing techniques
  3. ✅ Familiarity with CrowdStrike Falcon XDR interface and core detection workflows
  4. ✅ Awareness of MITRE ATT&CK tactics and techniques (e.g., Initial Access, Credential Access, Lateral Movement)
  5. ✅ Comfort navigating Windows and Linux operating systems, especially command-line usage
  6. ✅ Introductory experience with network security concepts, such as DNS, HTTP, and lateral movement visibility
  7. ✅ Optional: Basic exposure to Security Onion or Suricata/Zeek logs will be helpful for correlating alerts

What you'll learn

  1. 🧠 Validate behavioral detections in CrowdStrike Falcon XDR and distinguish real threats from false positives
  2. 🔍 Investigate early-stage attacks involving encoded PowerShell, fileless malware, and LOLBins
  3. 🧑‍💻 Analyze process lineage and command-line arguments to uncover attacker techniques and objectives
  4. 🔐 Detect credential theft and identity-based abuse, including Mimikatz, Kerberoasting, and Pass-the-Hash
  5. 🌐 Correlate endpoint and network telemetry, using Zeek and Suricata logs from Security Onion
  6. ⚙️ Automate incident response actions using Falcon SOAR, including containment and credential resets
  7. 📈 Fine-tune detection rules (Sigma, YARA, Suricata) to reduce alert noise and improve SOC efficiency
  8. 🧾 Document incident response workflows and contribute to SOC-wide IR playbooks and continuous improvement

This learning path is in the final stages of development and will be available soon. Would you like us to let you know when it’s ready?

  1. 1. Advanced Threat Detection (XDR & EDR-Focused Approach)
    1. Enroll in this learning path to view locked contentInvestigating Early-Stage Endpoint Threats with XDR
      Article
      Locked
    2. Enroll in this learning path to view locked contentInvestigating Malicious PowerShell Execution with CrowdStrike Falcon
      Lab
      Locked
  2. 2. SOC Collaboration, Escalation & Automated Response
    1. Enroll in this learning path to view locked contentAutomating Incident Response with SOAR – From Alert to Action
      Article
      Locked
  3. 3. Conclusion
    1. Enroll in this learning path to view locked contentLearning Path Complete
      Achievement Badge
      Locked