Detection Engineering Primer

I'm teaching a course on intrusion detection at depth and creating a module on Hands-on Detection engineering. Has anyone developed a lab, I can reuse? Otherwise what i'm thinking of creating is a Ubuntu VM with Wazzup as SIEM and some pre-baked logs, I'll then have the students write and test their detections in Python. Thoughts?