<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=325921436538399&amp;ev=PageView&amp;noscript=1">
Skip to the main content.
Contact Us Join our Discord
Contact Us Join our Discord
Facebook Instagram Linkedin X YouTube Medium

Alerts to Adversaries

Advanced Alert Investigation for Tomorrow's Threats.

Check out our live stream where we had Jonathan Johnson, the course creator and Instructor discuss Alert Classification! and reveal this course!

This is a snippet to get a sense of what Jonny's teaching is like and the knowledge has to offer!

 

"As someone who's worked side-by-side with Jonny his consistent ability to communicate nuanced security concepts sets him apart. His talks blend Windows internals, contagious enthusiasm, and actionable detection content. After each talk I left feeling smarter and better equipped to approach my own work. I can’t recommend Jonny’s trainings enough for anyone with the opportunity."
Brandon Dalton
@PartyD0lphin
"Jonathan brings his years of Windows expertise and experience developing defensive solutions to the forefront in his teaching. The breadth of his background and care towards each student creates a positive learning environment for anyone who takes his course."
Evan McBroom
@mcbroom_evan
"Jonathan Johnson’s content is the perfect blend of deep technical research and real-world program-building wisdom. He not only demystifies adversarial tradecraft and telemetry, but also shows how to translate detection concepts into a scalable, strategic vision for maturing security programs. It’s rare to find someone who can bridge that gap so effectively."
Andrew Schwartz
@4ndr3w6s
"Jonny and I taught dozens of classes together over several years. Jonny is an adept instructor with excellent communication skills with students, often spending time after class to continue chatting about topics of interests or in-depth questions. Even during overnight or off-hours classes, Jonny brings an unparalleled level of enthusiasm and deep research background to every session. In addition to instructing, Jonny has background and experience in content creation and development, both in slide and long-form-blog format. I wouldn't hesitate to teach with him again, and cannot recommend him enough as a resource for learning in the future."
Luke Paine
(@v3r5ace)

1st Live Cohort is Fall 2025. Date coming soon!

Seats are limited to 25 students, and will be provided first come, first served.

Course Description

This is an advanced course for security analysts and engineers that goes beyond basic alert triage, equipping you with advanced techniques for alert investigation, event correlation, and adversary tracking across host and network environments.

By the end of this course, you will be able to:

  • Analyze and correlate security events to detect sophisticated cyber threats and attack patterns.

  • Leverage threat intelligence for proactive defense and adversary profiling.

  • Utilize advanced analysis tools for host, process, registry, and network investigation.

  • Apply MITRE ATT&CK frameworks, TTPs, and adversary emulation techniques for predictive defense.

  • Implement strategic methodologies for building detection capabilities and analytical workflows.

  • Execute advanced analytical practices to improve investigation efficiency and accuracy.

  • Introductions
  • Course Goals/Setup
  • Lab 1: Setup
  • SOC Methodology
  • Alert Classification
  • SOC and Detection Lifecycle
  • Lab 2: Discovering MITRE ATT&CK
  • Detection Engineering
  • Operational Drift
  • SOC Maturity Model
  • Walkthrough a SOC Maturity Model
  • Lab 3: Build Your Own SOC Maturity Model
  • Introduction to Alert Investigation
  • Alert Fatigue
  • Classification Bias
  • Lab 4: Microsoft Sentinel Setup
  • Host-Based Alerting
  • Introduction into Processes
  • Lab 5: Discovering Processes
  • Lab 6: Process Examination
  • Examining Processess
  • Lab 7: Investigate a Process Alert
  • Introduction into Threads
  • Thread Actions
  • Lab 8: Thread Examination
  • Lab 9: Investigate a Thread Alert
  • Introduction into Files
  • Introduction into the Registry
  • Lab 11: Registry Examination
  • Lab 12: Investigate a Registry Alert
  • Introduction into Scripting
  • Lab 13: Analyzing a Script-Based Alert
  • Network-Based Alerting
  • Networking Basics
  • Lab 14: Examining Network Data
  • Host-Based Network Logs
  • Network Directions
  • Lab 15: Investigate a Network Alert
  • Introduction into Correlation
  • Interprocess Communication
  • Lab 16: Investigate a Named Pipe Alert
  • Correlation Types
  • Parent/Child Correlation
  • Logon Session Correlation
  • Transitional Correlation
  • Lab 17: Identify the Bad Outside of the Alert
  • Advanced SOC Processes
  • Alert Correlation & Playbooks
  • Feedback Loops
  • Lab 19: Alert Feedback

The SOC Endgame Capstone is a comprehensive, multi-day culminating exercise where students apply all skills learned throughout the course to conduct real-world SOC analyst operations. You will assume the role of a SOC analyst team tasked with investigating a complex, multi-stage attack across an enterprise-like environment, correlating alerts, discovering hidden malicious activity, and providing comprehensive incident response recommendations.

This capstone simulates a realistic enterprise compromise scenario where multiple attack vectors, persistence mechanisms, and lateral movement techniques have been employed across a domain environment. Students must demonstrate proficiency in alert investigation and incident correlation while working under time pressure with potentially incomplete or misleading information.

Students that complete the capstone will be awarded a Certification after successfully completing Capstone: Project SOC Endgame.

Students will be faced with multiple alerts from various sources. They will need to:

  1. Correlate and classify alerts

  2. Find other malicious activity that did not fire alerts

  3. Write-up Incident:

    • Maliciously Classified Alerts

    • Other activity identified

    • Detection Logic

    • Feedback (new and existing)

    • Playbook Generation Ideas

    • Containment Strategy

Live instruction is capped to 25 students maximum.

Each day of class will be 7-8 hours including breaks. You will go through lectures and labs. The days will be very practical lab heavy.

Please plan accordingly.

You will retain access for 1 week after the live course ends.

A full time table will be provided closer to the start date.

This course is targeted at SOC Tier 1 Analysts and up, as well as Technical Leadership that is supporting, managing, or any role adjacent to Security Operations.

At a technical level we recommend to have at least completed:

And to be familiar with the content at a minimum in:

Help is provided during class and in your private Discord channels for the duration of your training and up to 1 week after.

Your channel will be in the Level Effect Discord community.

$2500

CDA Live or On-Demand students receive a $250 discount, paying $2250. 

You invest, we invest.

Your Instructor - Jonny Johnson 

Founder of Johnson Security Research LLC and Principal EDR Product Researcher at Huntress.

Formerly: 

  • Sr. Detection Engineering Consultant at SpecterOps

  • Sr. Threat Researcher  at RedCanary

  • Sr. Threat Researcher at BinaryDefense 

Interests: Windows Internals, Extracting and Exposing Telemetry, Reverse Engineering, Detection Engineering


Open-Source Author/Contributor: Atomic Test Harnesses, The Defender’s Guide, MSRPC-To-ATT&CK, TelemetrySource, JonMon

CleanShot 2025-03-24 at 14.39.20@2x

 

Zone identifier analysis
Forensic threat intelligence artifact analysis showing metadata related to a downloaded file specifically the Zone.Identifier alternate data stream (ADS).
Process and threat creation analysis
Thread examination can be used to track process creation events, highlighting a PowerShell process spawning cmd.exe with detailed event metadata like command line, PID, and timestamp.
Sential Dumping LSASS
A high-severity incident alert in Microsoft Sentinel titled "Suspected Dumping LSASS," indicating potential credential dumping activity using tools like procdump or rundll32 comsvcs.dll.
Classification BIAS
A cognitive bias where SOC analysts approach alerts with a predetermined conclusion (malicious or benign), which can distort evidence interpretation and lead to misclassification.
Examining Processes
Process creation activity showing that jkli.exe (from C:\Temp) with a network connection spawned rundll32.exe, which in turn launched whoami /all, suggesting suspicious process behavior chaining.

FAQ