🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GCDA
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GCDA GIAC Certifications Coming Soon

GCDA

The GIAC Certified Detection Analyst (GCDA) exam validates expertise in SIEM architecture, detection engineering, log parsing, and Sigma rule creation, preparing professionals to design and implement effective threat detection solutions.

120
Minutes
75
Questions
79/100
Passing Score
$979
Exam Cost

Who Should Take This

It is intended for security analysts, SOC engineers, or detection engineers with three to five years of hands‑on experience in security operations. These practitioners seek to deepen their knowledge of detection logic, SIEM tuning, and real‑world use case development to advance their careers and demonstrate mastery to employers.

What's Covered

1 Domain 1: SIEM Architecture and Analytics
2 Domain 2: Detection Engineering
3 Domain 3: Log Collection and Parsing
4 Domain 4: Threat Detection Use Cases
5 Domain 5: Sigma Rules and Detection Logic
6 Domain 6: Security Data Visualization and Dashboards

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

62 learning goals
1 Domain 1: SIEM Architecture and Analytics
2 topics

SIEM Platform Architecture

  • Describe SIEM architecture components including log collectors, message brokers, indexers, search engines, and presentation layers and identify scalability considerations for each.
  • Describe the Elastic Stack architecture including Elasticsearch cluster design, Logstash pipeline configuration, Kibana visualization, and Beats agent deployment for security monitoring.
  • Apply SIEM sizing and capacity planning principles including events per second estimation, storage retention calculations, and index lifecycle management policies.
  • Configure SIEM data ingestion pipelines including input configuration, message queue integration, and data routing for multi-tenant and distributed environments.
  • Evaluate SIEM platform health metrics including ingestion rates, search performance, storage utilization, and alert processing latency to identify operational bottlenecks.

Security Analytics Fundamentals

  • Describe security analytics approaches including rule-based detection, statistical anomaly detection, threshold-based alerting, and behavioral baselining for threat identification.
  • Apply search query syntax in Elasticsearch (KQL, Lucene) and Splunk (SPL) to construct targeted searches for security events across indexed log data.
  • Apply aggregation and statistical functions to security data including event counting, cardinality analysis, percentile calculations, and time-series trend identification.
  • Analyze security event patterns using correlation searches to identify multi-stage attacks spanning multiple log sources and time windows.
2 Domain 2: Detection Engineering
3 topics

Detection Lifecycle Management

  • Describe the detection engineering lifecycle including requirements gathering, rule development, testing, deployment, tuning, and retirement of detection content.
  • Apply detection-as-code principles including version-controlled rule repositories, CI/CD pipelines for detection deployment, and automated testing frameworks for rule validation.
  • Evaluate detection rule quality metrics including true positive rate, false positive rate, mean time to detect, and detection coverage against MITRE ATT&CK techniques.

MITRE ATT&CK Framework Integration

  • Describe the MITRE ATT&CK framework structure including tactics, techniques, sub-techniques, and procedures and identify how it maps to real-world adversary behavior.
  • Apply ATT&CK technique mapping to existing detection rules to build a coverage heat map and identify gaps in detection capabilities across the attack lifecycle.
  • Analyze ATT&CK coverage gaps to prioritize new detection rule development based on threat intelligence, organizational risk profile, and adversary technique prevalence.

Alert Triage and Tuning

  • Describe alert triage workflows including initial assessment, enrichment, investigation, escalation, and closure and identify metrics for measuring triage efficiency.
  • Apply alert tuning techniques including whitelist management, threshold adjustment, exclusion pattern development, and risk-based scoring to reduce false positive rates.
  • Evaluate alert fatigue indicators and recommend operational improvements including alert consolidation, risk scoring implementation, and tier-based escalation procedures.
3 Domain 3: Log Collection and Parsing
3 topics

Log Source Onboarding

  • Describe critical security log sources including Windows Event Logs, Linux audit logs, firewall logs, proxy logs, DNS logs, authentication logs, and cloud audit trails.
  • Configure Windows Event Log collection using Windows Event Forwarding, Sysmon deployment, and audit policy configuration to capture security-relevant events.
  • Configure Linux log collection using rsyslog, journald, and auditd including audit rule creation for monitoring file access, process execution, and privilege changes.
  • Evaluate log source coverage to identify critical visibility gaps including missing endpoint telemetry, uncollected network logs, and unmonitored cloud services.

Log Parsing and Normalization

  • Describe log formats including JSON, CEF, LEEF, syslog RFC 5424, Windows XML Event Log, and CSV and identify the parsing requirements for each format.
  • Create Logstash filter configurations using Grok patterns, mutate processors, date parsing, and GeoIP enrichment to transform raw log data into structured security events.
  • Apply field normalization techniques using common information models such as Elastic Common Schema and OCSF to standardize event fields across disparate log sources.
  • Analyze parsing failures and field extraction errors to identify misconfigured parsers, unexpected log format changes, and data quality issues affecting detection accuracy.

Log Enrichment and Context

  • Describe log enrichment techniques including asset inventory lookup, user identity correlation, geolocation tagging, threat intelligence matching, and risk score assignment.
  • Configure log enrichment pipelines using lookup tables, external API integrations, and CMDB feeds to add contextual information for improved alert triage and investigation.
  • Evaluate enrichment data quality by assessing completeness, accuracy, and freshness of asset inventories, user directories, and threat intelligence feeds.
4 Domain 4: Threat Detection Use Cases
4 topics

Identity and Authentication Detection

  • Describe detection use cases for credential-based attacks including brute force, password spraying, credential stuffing, and golden ticket attacks using Windows Security Event IDs.
  • Create detection rules for suspicious authentication patterns including impossible travel, concurrent sessions from multiple locations, and off-hours privileged account usage.
  • Analyze authentication event sequences to identify account compromise indicators including failed-then-success patterns, service account anomalies, and privilege escalation chains.

Endpoint Detection Use Cases

  • Describe Sysmon event types including process creation, network connections, file creation, registry modifications, and DNS queries and identify their detection applications.
  • Create detection rules for process-based attacks including suspicious parent-child process relationships, living-off-the-land binary abuse, and PowerShell obfuscation techniques.
  • Apply detection rules for persistence mechanisms including scheduled task creation, service installation, registry run key modification, and WMI event subscription establishment.
  • Analyze endpoint telemetry to detect lateral movement including remote service creation, WMI process execution, PSRemoting sessions, and RDP connection anomalies.

Network Detection Use Cases

  • Describe network-based detection use cases including DNS exfiltration, beaconing detection, unusual port usage, and internal network scanning activity patterns.
  • Create detection rules for command and control communication patterns including periodic beaconing intervals, JA3 hash matching, and connections to newly registered domains.
  • Analyze network flow data to identify data exfiltration indicators including abnormal upload volumes, connections to unusual geographic locations, and protocol tunneling.

Cloud and Application Detection

  • Describe cloud detection use cases including unauthorized API calls, IAM policy modifications, security group changes, and resource creation in non-approved regions.
  • Create detection rules for cloud security events using CloudTrail, Azure Activity Logs, and GCP Audit Logs to identify privilege escalation and resource tampering.
  • Evaluate cloud detection coverage to identify monitoring gaps across IaaS, PaaS, and SaaS environments and recommend additional log sources and detection rules.
5 Domain 5: Sigma Rules and Detection Logic
3 topics

Sigma Rule Development

  • Describe Sigma rule specification including YAML structure, logsource definitions, detection sections, condition operators, and metadata fields such as level and status.
  • Create Sigma rules using selection criteria, filter conditions, aggregation expressions, and near-time correlation to detect specific attack techniques across log sources.
  • Apply Sigma rule modifiers including wildcards, regular expressions, all-of conditions, one-of conditions, and field value lists to create flexible detection patterns.
  • Evaluate Sigma rule quality by testing against sample data, assessing false positive potential, and validating ATT&CK technique coverage alignment.

Sigma Rule Conversion and Deployment

  • Describe Sigma rule conversion using sigma-cli and pySigma to generate platform-specific queries for Elasticsearch, Splunk, Microsoft Sentinel, and other SIEM backends.
  • Apply Sigma field mapping configurations to translate generic Sigma field names to platform-specific field names for accurate rule conversion across SIEM products.
  • Configure automated Sigma rule deployment pipelines including rule repository synchronization, conversion automation, and deployment validation for continuous detection updates.
  • Analyze conversion output discrepancies to identify field mapping errors, unsupported modifiers, and logic translation failures between Sigma and target SIEM query languages.

Advanced Detection Logic

  • Describe correlation rule design patterns including event chaining, threshold-based triggering, time-windowed aggregation, and multi-source event correlation for complex attack detection.
  • Create correlation rules that combine events from multiple log sources to detect multi-stage attack patterns such as reconnaissance followed by exploitation followed by exfiltration.
  • Evaluate the effectiveness of correlation rules by analyzing detection rates, alert precision, and coverage of targeted attack sequences in test and production environments.
6 Domain 6: Security Data Visualization and Dashboards
3 topics

Dashboard Design Principles

  • Describe security dashboard design principles including information hierarchy, color coding for severity, drill-down navigation, and audience-appropriate data presentation.
  • Apply visualization type selection including time-series charts for trend analysis, heat maps for coverage, bar charts for comparisons, and tables for detailed event investigation.
  • Evaluate dashboard effectiveness by assessing whether key security metrics are prominently displayed, actionable, and aligned with SOC operational workflows.

Operational Security Dashboards

  • Create SOC operational dashboards displaying alert volume trends, mean time to acknowledge, mean time to resolve, analyst workload distribution, and escalation rates.
  • Create threat hunting dashboards that visualize network connections, process execution trees, authentication patterns, and DNS query distributions for interactive investigation.
  • Describe executive security reporting including risk posture summaries, detection coverage metrics, incident trend analysis, and compliance status visualization.

Detection Coverage Visualization

  • Apply ATT&CK Navigator to create visual heat maps of detection coverage showing implemented, tested, and gap areas across the enterprise detection capability.
  • Analyze detection coverage trends over time to measure improvement in coverage breadth and depth and identify regression in previously covered techniques.
  • Create data quality dashboards that monitor log ingestion health including dropped events, parsing failures, field extraction accuracy, and source connectivity status.

Scope

Included Topics

  • All domains in the GIAC Certified Detection Analyst (GCDA) certification aligned to SANS SEC555: SIEM Architecture and Analytics, Detection Engineering, Log Collection and Parsing, Threat Detection Use Cases, Sigma Rules and Detection Logic, and Security Data Visualization and Dashboards.
  • Advanced detection engineering skills including SIEM platform architecture, log source onboarding, field normalization, detection rule development, alert triage workflows, and detection coverage gap analysis using frameworks such as MITRE ATT&CK.
  • Log collection and parsing expertise including syslog configuration, Windows Event Forwarding, log enrichment pipelines, structured and unstructured log parsing using regular expressions and Grok patterns, and centralized log management architectures.
  • Sigma rule development and management including rule syntax, detection logic design, correlation rules, aggregation conditions, field mapping across SIEM platforms, and rule lifecycle management.
  • Security data visualization including dashboard design principles, KPI metric selection, threat hunting dashboards, executive reporting, and real-time monitoring displays using tools such as Kibana, Splunk Dashboards, and Grafana.

Not Covered

  • Advanced threat hunting methodologies, hypothesis-driven investigation frameworks, and proactive threat discovery at the specialist level beyond SEC555 scope.
  • SOAR platform development, custom playbook authoring, and automated response orchestration at the engineering level.
  • Machine learning model development for anomaly detection, supervised and unsupervised learning algorithms for security analytics.
  • Cloud-specific detection engineering for Kubernetes audit logs, serverless function monitoring, and container runtime security.
  • Malware reverse engineering, binary analysis, and exploit development for detection signature creation.

Official Exam Page

Learn more at GIAC Certifications

Visit

GCDA is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.