Detection-as-Code

Ship detections through a pipeline, not a console

A detection written in a SIEM console has no history, no test, no review, and no rollback. When it breaks in production, nobody can tell you who changed it or why. This course teaches you to manage detection content the way a software team manages code: every rule version-controlled, peer-reviewed, automatically tested against committed fixtures, and deployed to your SIEM through a pipeline that proves it works before it reaches production. You write each rule once in Sigma and ship it to Sentinel, Splunk, or Elastic without clicking through a console.

Preview Course See Pricing

Course Agenda View all 1 modules

DC0

Course Orientation

Course overview

Detection-as-Code teaches you to operate detection content as engineered software. You build a working pipeline in your own GitHub account, from the first Sigma rule through automated SIEM deployment, and you keep everything you build. Learn how to:

✓ Write detections in Sigma and convert them to KQL, SPL, and Elastic with sigma-cli and pySigma

✓ Test every rule against committed true-positive fixtures and benign baseline before it reaches production

✓ Build a GitHub Actions CI workflow that lints, converts, tests, and blocks a non-passing rule from merging

✓ Deploy merged rules to Sentinel or Splunk automatically, with rollback when a rule misfires

✓ Track ATT&CK coverage from the repo and measure rule health from pipeline data

By the end you own a detection pipeline that answers who changed any rule, when, and why, and that proves every detection works before it ships.

Who this course is for

You are a detection engineer, SOC analyst, or security automation engineer who can already write a detection but manages rules by hand in a console. You want the engineering discipline around your detection content. Detection-engineering team leads building a sustainable programme belong here, as do platform engineers asked to stand up a detection pipeline. The course is self-contained, every concept explained at first use. It is for you if you want to:

✓ Stop managing detections by hand in a SIEM console and start shipping them through a reviewed, tested pipeline

✓ Write detections once and deploy them to whichever SIEM your organization runs

✓ Build a test harness that catches a broken rule before your SOC does

✓ Answer "what ATT&CK coverage do we actually have" from your rule inventory, not a spreadsheet

What you'll learn

By the end of Detection-as-Code you will be able to:

✓ Author Sigma rules using the full specification: logsources, field taxonomy, modifiers, and correlation

✓ Structure a detection repository with the rule/test/documentation contract enforced by layout

✓ Convert a Sigma rule to KQL, SPL, and Elastic queries using sigma-cli and pySigma pipelines

✓ Build fixture-based tests that assert a rule fires on its true-positive events and stays silent on benign baseline

✓ Write a GitHub Actions workflow that gates every PR on lint, conversion, and test results

✓ Deploy a merged detection to a live Sentinel or Splunk instance without console interaction

✓ Recognize where Sigma stops and a detection legitimately stays native KQL or SPL, and version that native rule through the same pipeline

✓ Generate an ATT&CK coverage layer from your repo and measure rule health from pipeline data

Key course takeaways

✓ A detection-as-code pipeline you built in your own GitHub and keep after the course

✓ The engineering discipline to ship detections the way a software team ships code: reviewed, tested, deployed, and measured

✓ The judgment to decide when a detection stays in Sigma and when it escapes to native query language

✓ The metrics and operating model that keep a detection programme healthy after the pipeline is running

Things you need to know

What are the prerequisites for this course?

Comfort reading a SIEM query (KQL or SPL), basic command-line use, and willingness to use Git. No prior Git, Sigma, or CI/CD experience is required. Each is taught at first use, and an experienced reader can skip past what they already know.

Do I need a SIEM?

Not for most of the course. The testing and CI modules work entirely against committed fixtures in your GitHub repository. The deployment module (M7) offers parallel tracks for Sentinel and Splunk so you can follow whichever platform you have. If you have neither, you still build and test the full pipeline; only the live-deployment step is deferred until you have a target.

How does this relate to SEC401 (Detection Engineering)?

SEC401 teaches you to author high-quality detections in Sentinel and KQL. SEC407 teaches you to manage detection content as code across any backend. A student can take either independently; together they cover authoring and operating. Neither is a prerequisite for the other.

How will the course benefit your career?

Detection-as-code is the direction every mature SOC is heading, and the practitioners who can stand up and operate the pipeline are in short supply. The vendor-neutral approach means the skill travels with you regardless of which SIEM an employer runs. You finish with a working pipeline you can demonstrate in an interview or deploy at your next organization.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may not redistribute course content or share account credentials.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.0 | Last updated: June 2026

June 2026, v1.0: Course launch. 12 modules across 6 phases. Sigma-first, multi-backend detection-as-code: write each rule once in Sigma, convert to KQL, SPL, and Elastic via sigma-cli and pySigma, test against committed fixtures, gate on CI, deploy to a live SIEM through a pipeline, track ATT&CK coverage from the repo, and measure rule health from pipeline data. The student builds and keeps a working detection-as-code pipeline in their own GitHub.

This course is actively maintained.