گواهینامه‌ی دوره

برای دریافت گواهینامه‌ی این دوره، ده روز پس از جلسه‌ی پایانی، آزمونی برگزار خواهد شد که با قبولی در این آزمون، امکان صدور گواهینامه‌ی دوره برای شما را خواهیم داشت. حضور در آزمون پایانی و دریافت گواهینامه‌ی دوره برای شرکت‌کنندگان اختیاری است.

هزینه‌ی چاپ و صدور گواهینامه‌ی دوره: ۵۰ هزارتومان

این دوره به چه افرادی توصیه می‌شود؟

• تحلیل‌گران و مهندسین لایه‌ی اول SOC
• علاقه‌مندان به امنیت سایبری
• فارغ‌التحصیلان رشته فناوری اطلاعات
• افرادی که در پوزیشن‌های Help Desk  و ادمین شبکه فعالیت می‌کنند

برای حضور در این دوره چه دانش‌هایی باید داشته باشم؟

• آشنایی با مفاهیم حملات سایبری
• آشنایی با مفاهیم سیستم‌عامل‌های ویندوز و لینوکس
• آشنایی با مفاهیم شبکه و پروتکل‌ها

جهت آمادگی بیشتر برای حضور در این دوره می‌توانید دوره‌های رایگان آکادمی راوین، «Hack With Kali»، «CEH Plus» و «Security Essentials»، را تماشا کنید.

سرفصل‌های دوره

Module 1: incident Handling step-by-step

Chapter 1: incident handling process

Chapter 2: Preparation

Chapter 3: Identification

Chapter 4: Containment

Chapter 5: Eradication

Chapter 6: Recovery

Chapter 7: Lessons Learned

Chapter 8: Enterprise-Wide IR

Module 2: Continuous Monitoring and Security Operations

Chapter 9: Current State Assessment, Security Operations Centers, and Security Architecture

9.1 Traditional Security Architecture

9.1.1 Perimeter-focused

9.1.2 Addressed Layer 3/4

9.1.3 Centralized Information Systems

9.1.4 Prevention-Oriented

9.1.5 Device-driven

9.1.6 Traditional Attack Techniques

9.2 Introducing Security Onion 2.X

9.2.1 Alerts Menu

9.2.2 Pivoting to the Hunt Menu

9.2.3 The PCAP Menu

9.3 Modern Security Architecture Principles

9.3.1 Detection-oriented

9.3.2 Post-Exploitation-focused

9.3.3 Decentralized Information Systems/Data

9.3.4 Risk-informed

9.3.5 Layer 7 Aware

9.3.6 Security Operations Centers

9.3.7 Network Security Monitoring

9.3.8 Continuous Security Monitoring

9.3.9 Modern Attack Techniques

9.3.10 Adversarial Dominance

9.3.11 MITRE ATT&CK®

9.4 Security Architecture – Key Techniques/Practices and Defensible Network Security Architecture Principles Applied

9.4.1 Threat Vector Analysis

9.4.2 Data Exfiltration Analysis

9.4.3 Detection Dominant Design

9.4.4 Intrusion Kill Chain

9.4.5 Visibility Analysis

9.4.6 Lateral Movement Analysis

9.4.7 Data Ingress/Egress Mapping

9.4.8 Internal Segmentation

9.4.9 Zero Trust Architecture (Kindervag)

9.4.10 Data Visualization

9.4.11 Network Security Monitoring

9.4.12 Continuous Security Monitoring

Chapter 10: Network Security Architecture

10.1 SOCs/Security Architecture – Key Infrastructure Devices

10.1.1 Traditional and Next- Generation Firewalls, and NIPS

10.1.2 Web Application Firewall

10.1.3  Malware Detonation Devices

10.1.4 HTTP Proxies, Web Content Filtering, and SSL/TLS Decryption

10.1.5 SIEMs, NIDS, Packet Captures, and DLP

10.1.6 Honeypots/Honeynets

10.1.7 Network Infrastructure – Routers, Switches, DHCP, DNS

10.1.8 Threat Intelligence

10.2 Segmented Internal Networks

10.2.1 Routers

10.2.2 Internal SI Firewalls

10.2.3 VLANs

10.2.4 Detecting the Pivot

10.2.5 DNS architecture

10.2.6 Encrypted DNS including DNS over HTTPS (DoH) and DNS over TLS (DoT)

Chapter 11: Network Security Monitoring

11.1  Evolution of NSM

11.2 The NSM Toolbox

11.3 NIDS Design

11.4 Analysis Methodology

11.5 Understanding Data Sources

11.5.1 Full Packet Capture

11.5.2 Extracted Data

11.5.3 String Data

11.5.4 Flow Data

11.5.5 Transaction Data

11.5.6 Statistical Data

11.5.7 Alert Data

11.5.8 Tagged Data

11.5.9 Correlated Data

11.6 Practical NSM Issues

11.7 Cornerstone NSM

11.7.1  Service-Side and Client-Side Exploits

11.7.2 Identifying High-Entropy Strings

11.7.3 Tracking EXE Transfers

11.7.4 Identifying Command and Control (C2) Traffic

11.7.5 Tracking User Agents

11.7.6 C2 via HTTPS

11.7.7 Tracking Encryption Certificates

11.7.8 Detecting Malware via JA3

11.8 Detecting Cobalt Strike

11.8.1 Criminal Usage of Cobalt Strike

11.8.2 Malleable C2

11.8.3 Cobalt Strikes x.509 Certificates

Chapter 12: Endpoint Security Architecture

12.1 Endpoint Security Architecture

12.1.1 Endpoint Protection Platforms

12.1.2 Endpoint Detection Response

12.1.3 Authentication Protection/Detection

12.1.4 Configuration Management/Monitoring

12.2 Endpoint Protection

12.2.1 TPM: Device Health Attestation

12.2.2 Host-based Firewall, Host-based IDS/IPS

12.2.3 Application Control, Application Virtualization

12.2.4 Virtualization Based Security

12.2.5 Microsoft Defender: Application Guard

12.2.6 Windows Defender: Credential Guard

12.2.7 Defender for Endpoint: Attack Surface Reduction

12.2.8 EMET and Defender Exploit Guard

12.3 Endpoint Detection Windows – Sysmon

12.3.1 FileDelete, ProcessTampering, and other recent additions

12.3.2 IMPHASH

12.3.3 DeepBlueHash

12.4 Authentication Protection and Detection

12.4.1 Privileged Account Monitoring

12.4.2 Dynamic Lock

12.4.3 PIN-Only Authentication

12.4.4 Hash/Ticket/Token Attacks

Chapter 13: Automation and Continuous Security Monitoring

13.1 Industry Best Practices

13.1.1 Continuous Monitoring and the 20 CIS Critical Security Controls

13.1.2 Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions

13.2 Winning CSM Techniques

13.2.1 Long Tail Analysis

13.2.2 Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents

13.2.3 The ASD Essential Eight

13.3 Maintaining Situational Awareness

13.4 Host, Port, and Service Discovery

13.5 Vulnerability Scanning

13.6 Monitoring Patching

13.7 Monitoring Applications

13.8 Monitoring Service Logs

13.8.1 Detecting Malware via DNS logs

13.8.2 Detecting DNS Tunneling via Iodine and dnscat2

13.8.3 Domain_stats and Registration Data Access Protocol (RDAP)

13.9 Monitoring Change to Devices and Appliances

13.10 Leveraging Proxy and Firewall Data

13.11 Configuring Centralized Windows Event Log Collection

13.12 Monitoring Critical Windows Events

13.12.1 Hands-on: Detecting Malware via Windows Event Logs

13.13 Scripting and Automation

13.13.1 Importance of Automation

13.13.2 PowerShell

13.13.3 DeepBlueCLI

Module 3: Network Traffic Analysis Cyber Security Threat Detection

Chapter 14: Introduction to Traffic Analysis

14.1 Traffic Analysis Overview

14.2 OSI Model

14.3 TCP/IP Model

14.4 Communication Models

14.5 Traffic Analysis for Offense

14.6 Traffic Analysis for Defense

14.6.1 Terminology

14.6.2 Port SPAN (Mirroring)

14.6.3 Man In The Middle (MITM)

14.6.4 Full packet Capture

14.6.5 NetFlow

Chapter 15: Wireshark Basics

15.1 Wireshark Overview

15.2 Wireshark Filters

15.3 Wireshark Tips

15.4 Decoding

15.5 Field Extraction

15.6 Exporting of results

15.7 Wireshark investigation of an incident

15.8 Practical Wireshark uses for analyzing

Chapter 16: Hunting Information form Packets

16.1 DNS

16.2  Internal Routing Protocols

16.3 HTTP/HTTPS

16.4 NetBIOS

16.5 SNMP

16.6 DHCP

16.7 SMB

16.8 SMTP

16.9 ICMP

16.10 FTP

Chapter 17: Intrusion Detection by Traffic Analysis

17.1 Analyzing & Detecting Link Layer Attacks

17.2 Analyzing & Detecting IP Layer Attacks

17.3 Analyzing & Detecting Transport Layer Attacks

17.4 Analyzing Common Application Protocol Traffic & Attacks

17.4.1 Microsoft-specific Protocols

17.4.2 HTTP(S)

17.4.3 DNS

17.4.4 SMTP

17.4.5 SMB

17.5 Introduction to Open Source IDS Solutions

17.5.1 How to configure suricata

17.5.2 Pcap Analysis with Suricata

17.6 Introduction Zeek and RITA

17.6.1 Using Zeek and RITA to find Evil

Chapter 18: Tshark basics And TCPdump

18.1 Tshark Overview

18.2 Tshark Filters

18.3 Exporting of Results

18.4 Pipelining with other Tools

Module 4: Blue Team Fundamentals: Security Operations and Analysis

Chapter 19: Blue Team Tools and Operations

19.1 Introduction to the Blue Team Mission

19.1.1 What is a SOC? What is the mission?

19.1.2 Why are we being attacked?

19.1.3 Modern defense mindset

19.1.4 The challenges of SOC work

19.2 SOC Overview

19.2.1 The people, process, and technology of a SOC

19.2.2 Aligning the SOC with your organization

19.2.3 SOC functional component overview

19.2.4 Tiered vs. tierless SOCs

19.2.5 Important operational documents

19.3 Defensible Network Concepts

19.3.1 Understanding what it takes to be defensible

19.3.2 Network security monitoring (NSM) concepts

19.3.3 NSM event collection

19.3.4 NSM by network layer

19.3.5 Continuous security monitoring (CSM) concepts

19.3.6 CSM event collection

19.3.7 Monitoring sources overview

19.3.8 Data centralization

19.4 Events, Alerts, Anomalies, and Incidents

19.4.1 Event collection

19.4.2 Event log flow

19.4.3 Alert collection

19.4.4 Alert triage and log flow

19.4.5 Signatures vs. anomalies

19.4.6 Alert triage workflow and incident creation

19.5 Incident Management Systems

19.5.1 SOC data organization tools

19.5.2 Incident management systems options and features

19.5.3 Data flow in incident management systems

19.5.4 Case creation, alerts, observables, playbooks, and workflow

19.5.5 Case and alert naming convention

19.5.6 Incident categorization framework

19.6 Threat Intelligence Platforms

19.6.1 What is cyber threat intelligence?

19.6.2 Threat data vs. information vs. intelligence

19.6.3 Threat intel platform options, features, and workflow

19.6.4 Event creation, attributes, correlation, and sharing

19.7 SIEM

19.7.1 Benefits of data centralization

19.7.2 SIEM options and features

19.7.3 SIEM searching, visualizations, and dashboards

19.7.4 Use cases and use case databases

19.8 Automation and Orchestration

19.8.1 How SOAR works and benefits the SOC

19.8.2 Options and features

19.8.3 SOAR value-adds and API interaction

19.8.4 Data flow between SOAR and the SIEM, incident management system, and threat intelligence platform

19.9 Who Are Your Enemies?

19.9.1 Who’s attacking us and what do they want?

19.9.2 Opportunistic vs. targeted attackers

19.9.3 Hacktivists, insiders, organized crime, governments

19.9.4 Motivation by attacker group

19.9.5 Case studies of different attack groups

19.9.6 Attacker group naming conventions

Chapter 20: Understanding Your Network

20.1 Corporate Network Architecture

20.1.1 Routers and security

20.1.2 Zones and traffic flow

20.1.3 Switches and security

20.1.4 VLANs

20.1.5 Home firewall vs. corporate next-gen firewall capabilities

20.1.6 The logical vs. physical network

20.1.7 Points of visibility

20.1.8 Traffic capture

20.1.9 Network architecture design ideals

20.1.10 Zero-trust architecture and least-privilege ideals

20.2 Traffic Capture and Analysis

20.2.1 Network traffic capture formats

20.2.2 NetFlow

20.2.3 Layer 7 metadata collection

20.2.4 PCAP collection

20.2.5 Wireshark and Moloch

20.3 Understanding DNS

20.3.1 Name to IP mapping structure

20.3.2 DNS server and client types (stub resolvers, forwarding, caching, and authoritative servers)

20.3.3 Walkthrough of a recursive DNS resolution

20.3.4 Request types

20.3.5 Setting records via registrars and on your own server

20.3.6 A and AAAA records

20.3.7 PTR records and when they might fail

20.3.8 TXT records and their uses

20.3.9 CNAME records and their uses

20.3.10 MX records for mail

20.3.11 SRV records

20.3.12 NS records and glue records

20.4 DNS analysis and attacks

20.4.1 Detecting requests for malicious sites

20.4.2 Checking domain reputation, age, randomness, length, subdomains

20.4.3 Whois

20.4.4 Reverse DNS lookups and passive DNS

20.4.5 Shared hosting

20.4.6 Detecting DNS recon

20.4.7 Unauthorized DNS server use

20.4.8 Domain shadowing

20.4.9 DNS tunneling

20.4.10 DNS traffic flow and analysis

20.4.11 IDNs, punycode, and lookalike domains

20.4.12  New DNS standards (DNS over TLS, DNS over HTTPS, DNSSEC)

20.5 Understanding HTTP and HTTPS

20.5.1 Decoding URLs

20.5.2 HTTP communication between client and server

20.5.3 Browser interpretation of HTTP and REST APIs

20.5.4 GET, POST, and other methods

20.5.5  Request header analysis

20.5.6 Response header analysis

20.5.7 Response codes

20.5.8 The path to the Internet

20.5.9 REST APIs

20.5.10 WebSockets

20.5.11 HTTP/2 & HTTP/3

20.6 Analyzing HTTP for Suspicious Activity

20.6.1 HTTP attack and analysis approaches

20.6.2 Credential phishing

20.6.3 Reputation checking

20.6.4 Sandboxing

20.6.5 URL and domain OSINT

20.6.6 Header and content analysis

20.6.7 User-agent deconstruction

20.6.8 Cookies

20.6.9 Base64 encoding works and conversion

20.6.10 File extraction and analysis

20.6.11 High frequency GET/POST activity

20.6.12 Host headers and naked IP addresses

20.6.13 Exploit kits and malicious redirection

20.6.14 HTTPS and certificate inspection

20.6.15 SSL decryption – what you can do with/without it

20.6.16 TLS 1.3

20.7 How SMTP and Email Attacks Work

20.7.1 Email delivery infrastructure

20.7.2 SMTP Protocol

20.7.3 Reading email headers and source

20.7.4 Identifying spoofed email

20.7.5 Decoding attachments

20.7.6 How email spoofing works

20.7.7 How SPF works

20.7.8 How DKIM works

20.7.9 How DMARC works

20.8 Additional Important Protocols

20.8.1 SMB – versions and typical attacks

20.8.2 DHCP for defenders

20.8.3 ICMP and how it is abused

20.8.4 FTP and attacks

20.8.5 SSH and attacks

20.8.6 PowerShell remoting

Chapter 21: Understanding Endpoints, Logs, and Files

21.1 Endpoint Attack Tactics

21.1.1 Endpoint attack centricity

21.1.2 Initial exploitation

21.1.3 Service-side vs client-side exploits

21.1.4 Post-exploitation tactics, tools, and explanations – execution, persistence, discovery, privilege escalation, credential access, lateral movement, collection, exfiltration

21.2 Endpoint Defense In-Depth

21.3 Network scanning and software inventory

21.3.1 Vulnerability scanning and patching

21.3.2 Anti-exploitation

21.3.3 Whitelisting

21.3.4 Host intrusion prevention and detection systems

21.3.5 Host firewalls

21.3.6 File integrity monitoring

21.3.7 Privileged access workstations

21.3.8 Windows privileges and permissions

21.3.9 Endpoint detection and response tools (EDR)

21.3.10 File and drive encryption

21.3.11 Data loss prevention

21.3.12 User and entity behavior analytics (UEBA)

21.4 How Windows Logging Works

21.4.1 Channels, event IDs, and sources

21.4.2 XML format and event templates

21.4.3 Log collection path

21.4.4 Channels of interest for tactical data collection

21.5 How Linux Logging Works

21.5.1 Syslog log format

21.5.2 Syslog daemons

21.5.3 Syslog network protocol

21.5.4 Log collection path

21.5.5 Systemd journal

21.5.6 Additional command line auditing options

21.5.7 Application logging

21.5.8 Service vs. system logs

21.6 Interpreting Important Events

21.6.1 Windows and Linux login events

21.6.2 Process creation logs for Windows and Linux

21.6.3 Additional activity monitoring

21.6.4 Firewall events

21.6.5 Object and file auditing

21.6.6 Service creation and operation logging

21.6.7 New scheduled tasks

21.6.8 USB events

21.6.9 User creation and modification

21.6.10  Windows Defender events

21.6.11 PowerShell logging

21.6.12 Kerberos and Active Directory Events

21.6.13 Authentication and the ticket-granting service

21.6.14 Kerberos authentication steps

21.6.15 Kerberos log events in detail

21.7 Log Collection, Parsing, and Normalization

21.7.1 Logging pipeline and collection methods

21.7.2 Windows vs. Linux log agent collection options

21.7.3 Parsing unstructured vs. structured logs

21.7.4 SIEM-centric formats

21.7.5 Efficient searching in your SIEM

21.7.6 The role of parsing and log enrichment

21.7.7 Log normalization and categorization

21.7.8 Log storage and retention lifecycle

21.8 Files Contents and Identification

21.8.1 File contents at the byte level

21.8.2 How to identify a file by the bytes

21.8.3 Magic bytes

21.8.4 Nested files

21.8.5 Strings – uses, encoding options, and viewing

21.9 Identifying and Handling Suspicious Files

21.9.1 Safely handling suspicious files

21.9.2 Dangerous files types

21.9.3 Exploits vs. program “features”

21.9.4 Exploits vs. Payloads

21.9.5 Executables, scripts, office docs, RTFs, PDFs, and miscellaneous exploits

21.9.6 Hashing and signature verification

21.9.7 Signature inspection and safety of verified files

21.9.8 Inspection methods, detecting malicious scripts and other files

Chapter 22: Triage and Analysis

22.1 Alert Triage and Prioritization

22.1.1 Priority for triage

22.1.2 Spotting late-stage attacks

22.1.3 Attack lifecycle models

22.1.4 Spotting exfiltration and destruction attempts

22.1.5 Attempts to access sensitive users, hosts, and data

22.1.6 Targeted attack identification

22.1.7 Lower-priority alerts

22.1.8 Alert validation

22.2 Perception, Memory, and Investigation

22.2.1 The role of perception and memory in observation and analysis

22.2.2 Working within the limitations of short-term memory

22.2.3 Efficiently committing info to long-term memory

22.2.4 Decomposition and externalization techniques

22.2.5 The effects of experience on speed and creativity

22.3 Perception, Memory, and Investigation

22.3.1 The role of perception and memory in observation and analysis

22.3.2 Working within the limitations of short-term memory

22.3.3 Efficiently committing info to long-term memory

22.3.4 Decomposition and externalization techniques

22.3.5 The effects of experience on speed and creativity

22.4 Mental Models for Information Security

22.4.1 Network and file encapsulation

22.4.2 Cyber kill chain

22.4.3 Defense-in-depth

22.4.4 NIST cybersecurity framework

22.4.5 Incident response cycle

22.4.6 Threat intelligence levels, models, and uses

22.4.7 F3EAD

22.4.8 Diamond model

22.4.9 The OODA loop

22.4.10 Attack modeling, graph/list thinking, attack trees

22.4.11 Pyramid of pain

22.4.12 MITRE ATT&CK

22.5 Structured Analysis Techniques

22.5.1 Compensating for memory and perception issues via structured analysis

22.5.2 System 1 vs. System 2 thinking and battling tacit knowledge

22.5.3 Data-driven vs. concept-driven analysis

22.5.4 Structured analytic techniques

22.5.5 Idea generation and creativity, hypothesis development

22.5.6 Confirmation bias avoidance

22.5.7 Analysis of competing hypotheses

22.5.8 Diagnostic reasoning

22.5.9 Link analysis, event matrices

22.6 Analysis Questions and Tactics

22.6.1 Where to start – breaking down an investigation

22.6.2 Alert validation techniques

22.6.3 Sources of network and host information

22.6.4 Data extraction

22.6.5 OSINT sources

22.6.6 Data interpretation

22.6.7 Assessing strings, files, malware artifacts, email, links

22.7 Analysis OPSEC

22.7.1 OPSEC vs. your threat model

22.7.2 Traffic light protocol and intel sharing

22.7.3 Permissible action protocol

22.7.4 Common OPSEC failures and how to avoid them

22.8 Intrusion Discovery

22.8.1 Dwell time and intrusion type

22.8.2 Determining attacker motivation

22.8.3 Assessing business risk

22.8.4 Choosing an appropriate response

22.8.5 Reacting to opportunistic/targeted attacks

22.8.6 Common missteps in incident response

22.9 Incident Closing and Quality Review

22.9.1 Steps for closing incidents

22.9.2 Quality review and peer feedback

22.9.3 Analytical completeness checks

22.9.4 Closed case classification

22.9.5 Attribution

22.9.6 Maintaining quality over time

22.9.7 Premortem and challenge analysis

22.9.8 Peer review, red team, team A/B analysis, and structured self-critique

Chapter 23: Continuous Improvement, Analytics, and Automation

23.1 Improving Life in the SOC

23.1.1 Expectations vs. common reality

23.1.2 Burnout and stress avoidance

23.1.3 Improvement through SOC human capital theory

23.1.4 The role of automation, operational efficiency, and metrics in burnout

23.1.5 Other common SOC issues

23.2 Analytic Features and Enrichment

23.2.1 Goals of analytic creation

23.2.2 Log features and parsing

23.2.3 High-feature vs. low-feature logs

23.2.4 Improvement through SIEM enrichment

23.2.5 External tools and other enrichment sources

23.3 New Analytic Design, Testing, and Sharing

23.3.1 Tolerance to false positives/negatives

23.3.2 The false positive paradox

23.3.3 Types of analytics

23.3.4 Feature selection for analytics

23.3.5 Matching with threat intel

23.3.6 Regular expressions

23.3.7 Common matching and rule logic options

23.3.8 Analytic generalization and sharing with Sigma

23.4 Tuning and False Positive Reduction

23.4.1 Dealing with alerts and runaway alert queues

23.4.2 How many analysts should you have?

23.4.3 Types of poor alerts

23.4.4 Tuning strategy for poor alert types

23.4.5 Tuning via log field analysis

23.4.6 Using policy to raise fidelity

23.4.7 Sensitivity vs. specificity

23.4.8 Automation and fast lanes

23.5 Automation and Orchestration

23.5.1 The definition of automation vs. orchestration

23.5.2 What is SOAR?

23.5.3 SOAR product considerations

23.5.4 Common SOAR use cases

23.5.5 Enumeration and enrichment

23.5.6 Response actions

23.5.7 Alert and case management

23.5.8 The paradox of automation

23.5.9 DIY scripting

23.6 Improving Operational Efficiency and Workflow

23.6.1 Micro-automation

23.6.2 Form filling

23.6.3 Text expanders

23.6.4 Email templates

23.6.5 Smart keywords

23.6.6 Browser plugins

23.6.7 Text caching

23.6.8 JavaScript page modification

23.6.9 OS Scripting

23.7 Containing Identified Intrusions

23.7.1 Containment and analyst empowerment

23.7.2 Isolation options across network layers – physical, link, network, transport, application

23.7.3 DNS firewalls, HTTP blocking and containment, SMTP, Web Application Firewalls

23.7.4 Host-based containment tools

Module 5: Splunk fundamental 1

Chapter 24: Introduction

24.1 Overview of Buttercup Games Inc.

?Chapter 25: What is Splunk

25.1 Splunk components

25.2 Installing Splunk

25.3 Getting data into Splunk

Chapter 26: Introduction to Splunk’s User Interface

26.1 Understand the uses of Splunk

26.2 Define Splunk Apps

26.3 Customizing your user settings

26.4 Learn basic navigation in Splunk

Chapter 27: Basic Searching

27.1 Run basic searches

27.2 Use autocomplete to help build a search

27.3 Set the time range of a search

27.4 Identify the contents of search results

27.5 Refine searches

27.6 Use the timeline

27.7 Work with events

27.8 Control a search job

27.9 Save search results

Chapter 28: Using Fields in Searches

28.1 Understand fields

28.2 Use fields in searches

28.3 Use the fields sidebar

Chapter 29: Search Language Fundamentals

29.1 Review basic search commands and general search practices

29.2 Examine the search pipeline

29.3 Specify indexes in searches

29.4 Use autocomplete and syntax highlighting

29.5 Use SPL search commands to perform searches

Chapter 30: Using Basic Transforming Commands

30.1 The top command

30.2 The rare command

30.3 The stats command

Chapter 31:  Creating Reports and Dashboards

31.1 Save a search as a report

31.2 Edit reports

31.3 Create reports that include visualizations such as charts and tables

31.4 Create a dashboard

31.5 Add a report to a dashboard

31.6 Edit a dashboard

Chapter 32:  Datasets and the Common Information Model

32.1 Naming conventions

32.2 What are datasets?

32.3 What is the Common Information Model (CIM)?

Chapter 33: Creating and Using Lookups

33.1 Describe lookups

33.2 Create a lookup file and create a lookup definition

33.3 Configure an automatic lookup

Chapter 34: Creating Scheduled Reports and Alerts

34.1 Describe scheduled reports

34.2 Configure scheduled reports

34.3 Describe alerts

34.4 Create alerts

34.5 View fired alerts

Chapter 35: Using Pivot

35.1 Describe Pivot

35.2 Understand the relationship between data models and pivot

35.3 Select a data model object

35.4 Create a pivot report

35.5 Create an instant pivot from a search

35.6 Add a pivot report to a dashboard

Module 6: SIEM with Tactical Analytics

Chapter 36: SIEM Architecture

36.1 State of the SOC/SIEM

36.1.1 Industry statistics

36.1.2 Industry problems

36.2 Log Monitoring

36.2.1 Assets

36.2.2 Windows/Linux

36.2.3 Network devices

36.2.4 Security devices

36.2.5 Data gathering strategies

36.2.6 Pre-planning

36.3 Logging architecture

36.3.1 Log inconsistencies

36.3.2 Log collection and normalization

36.3.3 Log retention strategies

36.3.4 Correlation and gaining context

36.3.5 Reporting and analytics

36.3.6 Alerting

36.4 SIEM platforms

36.4.1 Commercial solutions

36.4.2 Home-grown solutions

36.5 Planning a SIEM

36.5.1 Ingestion control

36.5.2 What to collect

36.5.3 Mission

36.6 SIEM Architecture

36.7 Ingestion techniques and nodes

36.7.1 Acceptance and manipulation for value

36.7.2 Augmentation of logs for detection

36.8 Data queuing and resiliency

36.9 Storage and speed

36.10 Analytical reporting

36.10.1 Visualizations

36.10.2 Detection Dashboards

Chapter 37: Service Profiling With SIEM

37.1 Detection methods and relevance to log analysis

37.1.1 Attacker patterns

37.1.2 Attacker behaviors

37.1.3 Abnormalities

37.2 Analyzing common application logs that generate tremendous amounts of data

37.3 DNS

37.3.1 Finding new domains being accessed

37.3.2 Pulling in addition information such as domain age

37.3.3 Finding randomly named domains

37.3.4 Discover domain shadowing techniques

37.3.5 Identifying recon

37.3.6 Find DNS C2 channels

37.4 HTTP

37.4.1 Use large datasets to find attacks

37.4.2 Identify bot traffic hiding in the clear

37.4.3 Discover requests that users do not make

37.4.4 Find ways to filter out legitimate noise

37.4.5 Use attacker randomness against them

37.4.6 Identify automated activity vs user activity

37.4.7 Filter approved web clients vs unauthorized

37.4.8 Find HTTP C2 channels

37.5 HTTPS

37.5.1 Alter information for large scale analysis

37.5.2 Analyze certificate fields to identify attack vectors

37.5.3 Track certificate validity

37.5.4 Apply techniques that overlap with standard HTTP

37.5.5 Find HTTPS C2 channels

37.6 SMTP

37.6.1 Identify where unauthorized email is coming from

37.6.2 Find compromised mail services

37.6.3 Fuzzy matching likely phishing domains

37.6.4 Data exfiltration detectionAbnormalities

37.7 Apply threat intelligence to generic network logs

37.8 Active Dashboards and Visualizations

37.8.1 Correlate network datasets

37.8.2 Build frequency analysis tables

37.8.3 Establish network baseline activity

Chapter 38: Advanced Endpoint Analytics

38.1 Endpoint logs

38.2 Understanding value

38.2.1 Methods of collection

38.2.2 Agents

38.2.3 Agentless

38.2.4 Scripting

38.3 Adding additional logging

38.3.1 EMET

38.3.2 Sysmon

38.3.3 Group Policy

38.4 Windows filtering and tuning

38.5 Analyze critical events based on attacker patterns

38.5.1 Finding signs of exploitation

38.5.2 Find signs of internal reconnaissance

38.5.3 Finding persistence

38.5.4 Privilege escalation

38.5.5 Establishing a foothold

38.5.6 Cleaning up tracks

38.6 Host-based firewall logs

38.6.1 Discover internal pivoting

38.6.2 Identify unauthorized listening executables

38.6.3 See scan activity

38.7 Credential theft and reuse

38.7.1 Multiple failed logons

38.7.2 Unauthorized account use

38.8 Monitor PowerShell

38.8.1 Configure PowerShell logging

38.8.2 Identify obfuscation

38.8.3 Identify modern attacks

38.9 Containers

38.9.1 Logging methods

38.9.2 Monitoring

Chapter 39: Baselining and user Behavior Monitoring

39.1 Identify authorized and unauthorized assets

39.2 Active asset discovery

39.2.1 Scanners

39.2.2 Network Access Control

39.3 Passive asset discovery

39.3.1 DHCP

39.3.2 Network listeners such as p0f, bro, and prads

39.3.3 NetFlow

39.3.4 Switch CAM tables

39.4 Combining asset inventory into a master list

39.5 Adding contextual information

39.5.1 Vulnerability data

39.5.2 Authenticated device vs unauthenticated device

39.6 Identify authorized and unauthorized software

39.7 Source collection

39.7.1 Asset inventory systems

39.7.2 Patching management

39.7.3 Whitelisting solutions

39.7.4 Process monitoring

39.7.5 Discovering unauthorized software

39.8 Baseline data

39.9 Network data (from netflow, firewalls, etc)

39.9.1 Use outbound flows to discover unauthorized use or assets

39.9.2 Compare expected inbound/outbound protocol

39.9.3 Find persistence and beaconing

39.9.4 Utilize geolocation and reverse dns lookups

39.9.5 Establish device-to-device relationships

39.9.6 Identify lateral movement

39.9.7 Configure outbound communication thresholds

39.10 Monitor logons based on patterns

39.11 Time-based

39.12 Concurrency of logons

39.12.1 logons by user

39.12.2 logons by source device

39.12.3 Multiple geo locations

39.13 Endpoint baseline monitoring

39.13.1 Configure enterprise wide baseline collection

39.13.2 Large scale persistence monitoring

39.13.3 Finding abnormal local user accounts

39.13.4 Discover dual-homed devices

Chapter 40: Tactical SIEM Detection and Post-Mortem Analysis

40.1 Centralize NIDS and HIDS alerts

40.2 Analyze endpoint security logs

40.2.1 Provide alternative analysis methods

40.2.2 Configure tagging to facilitate better reporting

40.3 Augment intrusion detection alerts

40.3.1 Extract CVE, OSVDB, etc for further context

40.3.2 Pull in rule info and other info such as geo

40.4 Analyze vulnerability information

40.4.1 Setup vulnerability reports

40.4.2 Correlate CVE, OSVDB, and other unique IDs with IDS alerts

40.4.3 Prioritize IDS alerts based on vulnerability context

40.5 Correlate malware sandbox logs with other systems to identify victims across enterprise

40.6 Monitor Firewall Activity

40.6.1 Identify scanning activity on inbound denies

40.6.2 Apply auto response based on alerts

40.6.3 Find unexpected outbound traffic

40.6.4 Baseline allow/denies to identify unexpected changes

40.6.5 Apply techniques to filter out noise in denied traffic

40.7 SIEM tripwires

40.8 Configure systems to generate early log alerts after compromise

40.8.1 Identify file and folder scan activity

40.8.2 Identify user token stealing

40.8.3 Operationalize virtual honeypots with central logging

40.8.4 Allow phone home tracking

40.9 Post mortem analysis

40.10 Re-analyze network traffic

40.10.1 Identify malicious domains and IPs

40.10.2 Look for beaconing activity

Module 7: Introduction and Configuration Splunk Enterprise Security (SIEM)

Chapter 41: Getting Started with ES

41.1 Describe the features and capabilities of Splunk Enterprise Security (ES)

41.2 Explain how ES helps security practitioners prevent, detect, and respond to threats

41.3 Describe correlation searches, data models, and notable events

41.4 Describe user roles in ES

Chapter 42: Security Monitoring and Incident Investigation

42.1 Use the Security Posture dashboard to monitor ES status

42.2 Use the Incident Review dashboard to investigate notable events

42.3 Take ownership of an incident and move it through the investigation workflow

42.4 Create notable events

42.5 Suppress notable events

Chapter 43: Risk-Based Alerting

43.1 Give an overview of Risk-Based Alerting

43.2 View Risk Notables and risk information on the Incident Review dashboard

43.3 Explain risk scores and how to change an object’s risk score

43.4 Review the Risk Analysis dashboard

43.5 Describe annotations

43.6 Describe the process for retrieving LDAP data for an asset or identity lookup

Chapter 44: Investigations

44.1 Use investigations to manage incident response activity

44.2 Use the Investigation Workbench to manage, visualize and coordinate incident investigations

44.3 Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)

44.4 Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts

Chapter 45: Using Security Domain Dashboards

45.1 Use ES to inspect events containing information relevant to active or past incident investigation

45.2 Identify security domains in ES

45.3 Use ES security domain dashboards

45.4 Launch security domain dashboards from Incident Review and from action menus in search results