Overview
Blue teaming is the discipline of detecting, investigating, and responding to attacks. For software engineers, this means learning to read the logs your systems generate and turn them into actionable security intelligence — the same instincts you use for debugging, applied to adversarial inputs.
What You Will Learn
- Reading Linux auth logs, Windows Event Logs, and web access logs
- Writing SIEM queries: Splunk SPL, Elastic KQL/EQL, Microsoft Sentinel KQL
- Threat detection: brute-force, port scans, SQL injection, reverse shells
- Incident triage and response: containment, eradication, recovery
- Threat hunting: hypothesis-driven detection across endpoint and network logs
- Detection engineering: Sigma rules, detection-as-code, rule lifecycle
Learning Path
| Level | Focus |
|---|---|
| Beginner | Log reading, basic queries, alert triage |
| Intermediate | AD attack detection, SIEM correlation, forensics |
| Advanced | Threat hunting, SOAR, cloud detection, detection metrics |
Start at By Example — Beginner or read the full by-example overview to see all 85 examples.
Last updated May 20, 2026