SOC Tier 1 Operations Zero to Hero

مهدی میرسلطانی

• متوسط
• مسیر آبی
• ۴۳ درس

درباره‌ی این دوره

این دوره به چه افرادی توصیه می‌شود؟

• تحلیل‌گران و مهندسان لایه‌ی اول SOC
• علاقه‌مندان به امنیت سایبری
• دانشجویان و فارغ‌التحصیلان رشته‌های فناوری اطلاعات
• افرادی که در پوزیشن‌های Help Desk و ادمین شبکه فعالیت می‌کنند

برای حضور در این دوره چه دانش‌هایی باید داشته باشم؟

• آشنایی با مفاهیم حملات سایبری
• آشنایی با مفاهیم سیستم‌عامل‌های ویندوز و لینوکس
• آشنایی با مفاهیم شبکه و پروتکل‌ها

• Incident Response and Cyber Investigations
• Incident Response
  • Case study: Argous Corporation compromise
  • Dynamic Approach to Incident Response
  • Investigative analysis: Examining incident evidence
• Digital Investigations
  • Techniques for digital investigation
  • Establishing an incident timeline
  • Investigation efficiency: Data reduction
• Live Examination
  • Identifying suspicious Windows processes
  • Correlating network and persistence activity
  • Enumerating Windows auto-start extensibility points
  • Leveraging Sysinternals for live Windows examinations
• Network Investigations
  • Identifying compromised host beaconing with proxy server logs
  • Filtering network activity to identify indicators of compromise
  • Assessing encrypted network traffic with multiple data sources
  • Building the incident timeline
• Network Investigations
  • Memory Investigations
  • Conducting offline analysis of attacker persistence Cyberscope and SCAP
  • Using Volatility to inspect attacker malware
• Malware Investigations
  • Assessing attacker malware in a custom test environment
  • Using snapshot and continuous recording tools
  • Inspecting malware actions with RegShot and Procmon
  • Identifying malicious code on Windows
• Continuous Monitoring and Security Operations
• Current State Assessment, Security Operations Centers, and Security Architecture
  • Traditional Security Architecture
    • Perimeter-focused
    • Addressed Layer 3/4
    • Centralized Information Systems
    • Prevention-Oriented
    • Device-driven
    • Traditional Attack Techniques
  • Introducing Security Onion 2.X
    • Alerts Menu
    • Pivoting to the Hunt Menu
    • The PCAP Menu
  • Modern Security Architecture Principles
    • Detection-oriented
    • Post-Exploitation-focused
    • Decentralized Information Systems/Data
    • Risk-informed
    • Layer 7 Aware
    • Security Operations Centers
    • Network Security Monitoring
    • Continuous Security Monitoring
    • Modern Attack Techniques
    • Adversarial Dominance
    • MITRE ATT&CK®
  • Security Architecture – Key Techniques/Practices and Defensible Network Security Architecture Principles Applied
    • Threat Vector Analysis
    • Data Exfiltration Analysis
    • Detection Dominant Design
    • Intrusion Kill Chain
    • Visibility Analysis
    • Lateral Movement Analysis
    • Data Ingress/Egress Mapping
    • Internal Segmentation
    • Zero Trust Architecture (Kindervag)
    • Data Visualization
    • Network Security Monitoring
    • Continuous Security Monitoring
• Network Security Architecture
  • SOCs/Security Architecture – Key Infrastructure Devices
    • Traditional and Next- Generation Firewalls, and NIPS
    • Web Application Firewall
    • Malware Detonation Devices
    • HTTP Proxies, Web Content Filtering, and SSL/TLS Decryption
    • SIEMs, NIDS, Packet Captures, and DLP
    • Honeypots/Honeynets
    • Network Infrastructure – Routers, Switches, DHCP, DNS
    • Threat Intelligence
  • Segmented Internal Networks
    • Routers
    • Internal SI Firewalls
    • VLANs
    • Detecting the Pivot
    • DNS architecture
    • Encrypted DNS including DNS over HTTPS (DoH) and DNS over TLS (DoT)
• Network Security Monitoring
  • Evolution of NSM
  • The NSM Toolbox
  • NIDS Design
  • Analysis Methodology
  • Understanding Data Sources
    • Full Packet Capture
    • Extracted Data
    • String Data
    • Flow Data
    • Transaction Data
    • Statistical Data
    • Alert Data
    • Tagged Data
    • Correlated Data
  • Practical NSM Issues
  • Cornerstone NSM
    • Service-Side and Client-Side Exploits
    • Identifying High-Entropy Strings
    • Tracking EXE Transfers
    • Identifying Command and Control (C2) Traffic
    • Tracking User Agents
    • C2 via HTTPS
    • Tracking Encryption Certificates
    • Detecting Malware via JA3
  • Detecting Cobalt Strike
    • Criminal Usage of Cobalt Strike
    • Malleable C2
    • Cobalt Strikes x.509 Certificates
• Endpoint Security Architecture
  • Endpoint Security Architecture
    • Endpoint Protection Platforms
    • Endpoint Detection Response
    • Authentication Protection/Detection
    • Configuration Management/Monitoring
  • Endpoint Protection
    • TPM: Device Health Attestation
    • Host-based Firewall, Host-based IDS/IPS
    • Application Control, Application Virtualization
    • Virtualization Based Security
    • Microsoft Defender: Application Guard
    • Windows Defender: Credential Guard
    • Defender for Endpoint: Attack Surface Reduction
    • EMET and Defender Exploit Guard
  • Endpoint Detection Windows – Sysmon
    • FileDelete, ProcessTampering, and other recent additions
    • IMPHASH
    • DeepBlueHash
  • Authentication Protection and Detection
    • Privileged Account Monitoring
    • Dynamic Lock
    • PIN-Only Authentication
    • Hash/Ticket/Token Attacks
• Automation and Continuous Security Monitoring
  • Industry Best Practices
    • Continuous Monitoring and the 20 CIS Critical Security Controls
    • Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions
  • Winning CSM Techniques
    • Long Tail Analysis
    • Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents
    • The ASD Essential Eight
  • Maintaining Situational Awareness
  • Host, Port, and Service Discovery
  • Vulnerability Scanning
  • Monitoring Patching
  • Monitoring Applications
  • Monitoring Service Logs
    • Detecting Malware via DNS logs
    • Detecting DNS Tunneling via Iodine and dnscat2
    • Domain_stats and Registration Data Access Protocol (RDAP)
  • Monitoring Change to Devices and Appliances
  • Leveraging Proxy and Firewall Data
  • Configuring Centralized Windows Event Log Collection
  • Monitoring Critical Windows Events
    • Hands-on: Detecting Malware via Windows Event Logs
  • Scripting and Automation
    • Importance of Automation
    • PowerShell
    • DeepBlueCLI
• Network Traffic Analysis Cyber Security Threat Detection
• Introduction to Traffic Analysis
  • Traffic Analysis Overview
  • OSI Model
  • TCP/IP Model
  • Communication Models
  • Traffic Analysis for Offense
  • Traffic Analysis for Defense
    • Terminology
    • Port SPAN (Mirroring)
    • Man In The Middle (MITM)
    • Full packet Capture
    • NetFlow
• Wireshark Basics
  • Wireshark Overview
  • Wireshark Filters
  • Wireshark Tips
  • Decoding
  • Field Extraction
  • Exporting of results
  • Wireshark investigation of an incident
  • Practical Wireshark uses for analyzing
• Hunting Information form Packets
  • DNS
  • Internal Routing Protocols
  • HTTP/HTTPS
  • NetBIOS
  • SNMP
  • DHCP
  • SMB
  • SMTP
  • ICMP
  • FTP
• Intrusion Detection by Traffic Analysis
  • Analyzing & Detecting Link Layer Attacks
  • Analyzing & Detecting IP Layer Attacks
  • Analyzing & Detecting Transport Layer Attacks
  • Analyzing Common Application Protocol Traffic & Attacks
  • Introduction to Open Source IDS Solutions
  • Introduction Zeek and RITA
    • Using Zeek and RITA to find Evil
• Tshark basics And TCPdump
  • Tshark Overview
  • Tshark Filters
  • Exporting of Results
  • Pipelining with other Tools
• Blue Team Fundamentals: Security Operations and Analysis
• Blue Team Tools and Operations
  • Introduction to the Blue Team Mission
    • What is a SOC? What is the mission?
    • Why are we being attacked?
    • Modern defense mindset
    • The challenges of SOC work
  • SOC Overview
    • The people, process, and technology of a SOC
    • Aligning the SOC with your organization
    • SOC functional component overview
    • Tiered vs. tierless SOCs
    • Important operational documents
  • Defensible Network Concepts
    • Understanding what it takes to be defensible
    • Network security monitoring (NSM) concepts
    • NSM event collection
    • NSM by network layer
    • Continuous security monitoring (CSM) concepts
    • CSM event collection
    • Monitoring sources overview
    • Data centralization
  • Events, Alerts, Anomalies, and Incidents
    • Event collection
    • Event log flow
    • Alert collection
    • Alert triage and log flow
    • Signatures vs. anomalies
    • Alert triage workflow and incident creation
  • Incident Management Systems
    • SOC data organization tools
    • Incident management systems options and features
    • Data flow in incident management systems
    • Case creation, alerts, observables, playbooks, and workflow
    • Case and alert naming convention
    • Incident categorization framework
  • Threat Intelligence Platforms
    • What is cyber threat intelligence?
    • Threat data vs. information vs. intelligence
    • Threat intel platform options, features, and workflow
    • Event creation, attributes, correlation, and sharing
  • SIEM
    • Benefits of data centralization
    • SIEM options and features
    • SIEM searching, visualizations, and dashboards
    • Use cases and use case databases
  • Automation and Orchestration
    • How SOAR works and benefits the SOC
    • Options and features
    • SOAR value-adds and API interaction
    • Data flow between SOAR and the SIEM, incident management system, and threat intelligence platform
  • Who Are Your Enemies?
    • Who’s attacking us and what do they want?
    • Opportunistic vs. targeted attackers
    • Hacktivists, insiders, organized crime, governments
    • Motivation by attacker group
    • Case studies of different attack groups
    • Attacker group naming conventions
• Understanding Your Network
  • Corporate Network Architecture
  • Traffic Capture and Analysis
  • Understanding DNS
  • DNS analysis and attacks
  • Understanding HTTP and HTTPS
  • Analyzing HTTP for Suspicious Activity
  • How SMTP and Email Attacks Work
  • Additional Important Protocols
    • SMB – versions and typical attacks
    • DHCP for defenders
    • ICMP and how it is abused
    • FTP and attacks
    • SSH and attacks
    • PowerShell remoting
• Understanding Endpoints, Logs, and Files
  • Endpoint Attack Tactics
    • Endpoint attack centricity
    • Initial exploitation
    • Service-side vs client-side exploits
    • Post-exploitation tactics, tools, and explanations – execution, persistence, discovery, privilege escalation, credential access, lateral movement, collection, exfiltration
  • Endpoint Defense In-Depth
  • Network scanning and software inventory
    • Vulnerability scanning and patching
    • Anti-exploitation
    • Whitelisting
    • Host intrusion prevention and detection systems
    • Host firewalls
    • File integrity monitoring
    • Privileged access workstations
    • Windows privileges and permissions
    • Endpoint detection and response tools (EDR)
    • File and drive encryption
    • Data loss prevention
    • User and entity behavior analytics (UEBA)
  • How Windows Logging Works
    • Channels, event IDs, and sources
    • XML format and event templates
    • Log collection path
    • Channels of interest for tactical data collection
  • How Linux Logging Works
    • Syslog log format
    • Syslog daemons
    • Syslog network protocol
    • Log collection path
    • Systemd journal
    • Additional command line auditing options
    • Application logging
    • Service vs. system logs
  • Interpreting Important Events
    • Windows and Linux login events
    • Process creation logs for Windows and Linux
    • Additional activity monitoring
    • Firewall events
    • Object and file auditing
    • Service creation and operation logging
    • New scheduled tasks
    • USB events
    • User creation and modification
    • Windows Defender events
    • PowerShell logging
    • Kerberos and Active Directory Events
    • Authentication and the ticket-granting service
    • Kerberos authentication steps
    • Kerberos log events in detail
  • Log Collection, Parsing, and Normalization
    • Logging pipeline and collection methods
    • Windows vs. Linux log agent collection options
    • Parsing unstructured vs. structured logs
    • SIEM-centric formats
    • Efficient searching in your SIEM
    • The role of parsing and log enrichment
    • Log normalization and categorization
    • Log storage and retention lifecycle
  • Files Contents and Identification
    • File contents at the byte level
    • How to identify a file by the bytes
    • Magic bytes
    • Nested files
    • Strings – uses, encoding options, and viewing
  • Identifying and Handling Suspicious Files
    • Safely handling suspicious files
    • Dangerous files types
    • Exploits vs. program “features”
    • Exploits vs. Payloads
    • Executables, scripts, office docs, RTFs, PDFs, and miscellaneous exploits
    • Hashing and signature verification
    • Signature inspection and safety of verified files
    • Inspection methods, detecting malicious scripts and other files
• Triage and Analysis
  • Alert Triage and Prioritization
    • Priority for triage
    • Spotting late-stage attacks
    • Attack lifecycle models
    • Spotting exfiltration and destruction attempts
    • Attempts to access sensitive users, hosts, and data
    • Targeted attack identification
    • Lower-priority alerts
    • Alert validation
  • Perception, Memory, and Investigation
    • The role of perception and memory in observation and analysis
    • Working within the limitations of short-term memory
    • Efficiently committing info to long-term memory
    • Decomposition and externalization techniques
    • The effects of experience on speed and creativity
  • Perception, Memory, and Investigation
    • The role of perception and memory in observation and analysis
    • Working within the limitations of short-term memory
    • Efficiently committing info to long-term memory
    • Decomposition and externalization techniques
    • The effects of experience on speed and creativity
  • Mental Models for Information Security
    • Network and file encapsulation
    • Cyber kill chain
    • Defense-in-depth
    • NIST cybersecurity framework
    • Incident response cycle
    • Threat intelligence levels, models, and uses
    • F3EAD
    • Diamond model
    • The OODA loop
    • Attack modeling, graph/list thinking, attack trees
    • Pyramid of pain
    • MITRE ATT&CK
  • Structured Analysis Techniques
    • Compensating for memory and perception issues via structured analysis
    • System 1 vs. System 2 thinking and battling tacit knowledge
    • Data-driven vs. concept-driven analysis
    • Structured analytic techniques
    • Idea generation and creativity, hypothesis development
    • Confirmation bias avoidance
    • Analysis of competing hypotheses
    • Diagnostic reasoning
    • Link analysis, event matrices
  • Analysis Questions and Tactics
    • Where to start – breaking down an investigation
    • Alert validation techniques
    • Sources of network and host information
    • Data extraction
    • OSINT sources
    • Data interpretation
    • Assessing strings, files, malware artifacts, email, links
  • Analysis OPSEC
    • OPSEC vs. your threat model
    • Traffic light protocol and intel sharing
    • Permissible action protocol
    • Common OPSEC failures and how to avoid them
  • Intrusion Discovery
    • Dwell time and intrusion type
    • Determining attacker motivation
    • Assessing business risk
    • Choosing an appropriate response
    • Reacting to opportunistic/targeted attacks
    • Common missteps in incident response
  • Incident Closing and Quality Review
    • Steps for closing incidents
    • Quality review and peer feedback
    • Analytical completeness checks
    • Closed case classification
    • Attribution
    • Maintaining quality over time
    • Premortem and challenge analysis
    • Peer review, red team, team A/B analysis, and structured self-critique
• Continuous Improvement, Analytics, and Automation
  • Improving Life in the SOC
    • Expectations vs. common reality
    • Burnout and stress avoidance
    • Improvement through SOC human capital theory
    • The role of automation, operational efficiency, and metrics in burnout
    • Other common SOC issues
  • Analytic Features and Enrichment
    • Goals of analytic creation
    • Log features and parsing
    • High-feature vs. low-feature logs
    • Improvement through SIEM enrichment
    • External tools and other enrichment sources
  • New Analytic Design, Testing, and Sharing
    • Tolerance to false positives/negatives
    • The false positive paradox
    • Types of analytics
    • Feature selection for analytics
    • Matching with threat intel
    • Regular expressions
    • Common matching and rule logic options
    • Analytic generalization and sharing with Sigma
  • Tuning and False Positive Reduction
    • Dealing with alerts and runaway alert queues
    • How many analysts should you have?
    • Types of poor alerts
    • Tuning strategy for poor alert types
    • Tuning via log field analysis
    • Using policy to raise fidelity
    • Sensitivity vs. specificity
    • Automation and fast lanes
  • Automation and Orchestration
    • The definition of automation vs. orchestration
    • What is SOAR?
    • SOAR product considerations
    • Common SOAR use cases
    • Enumeration and enrichment
    • Response actions
    • Alert and case management
    • The paradox of automation
    • DIY scripting
  • Improving Operational Efficiency and Workflow
    • Micro-automation
    • Form filling
    • Text expanders
    • Email templates
    • Smart keywords
    • Browser plugins
    • Text caching
    • JavaScript page modification
    • OS Scripting
  • Containing Identified Intrusions
    • Containment and analyst empowerment
    • Isolation options across network layers – physical, link, network, transport, application
    • DNS firewalls, HTTP blocking and containment, SMTP, Web Application Firewalls
    • Host-based containment tools
• Splunk fundamental 1
• Introduction
  • Overview of Buttercup Games Inc.
• What is Splunk?
  • Splunk components
  • Installing Splunk
  • Getting data into Splunk
• Introduction to Splunk’s User Interface
  • Understand the uses of Splunk
  • Define Splunk Apps
  • Customizing your user settings
  • Learn basic navigation in Splunk
• Basic Searching
  • Run basic searches
  • Use autocomplete to help build a search
  • Set the time range of a search
  • Identify the contents of search results
  • Refine searches
  • Use the timeline
  • Work with events
  • Control a search job
  • Save search results
• Using Fields in Searches
  • Understand fields
  • Use fields in searches
  • Use the fields sidebar
• Search Language Fundamentals
  • Review basic search commands and general search practices
  • Examine the search pipeline
  • Specify indexes in searches
  • Use autocomplete and syntax highlighting
  • Use SPL search commands to perform searches
• Using Basic Transforming Commands
  • The top command
  • The rare command
  • The stats command
• Creating Reports and Dashboards
  • Save a search as a report
  • Edit reports
  • Create reports that include visualizations such as charts and tables
  • Create a dashboard
  • Add a report to a dashboard
  • Edit a dashboard
• Datasets and the Common Information Model
  • Naming conventions
  • What are datasets?
  • What is the Common Information Model (CIM)?
• Creating and Using Lookups
  • Describe lookups
  • Create a lookup file and create a lookup definition
  • Configure an automatic lookup
• Creating Scheduled Reports and Alerts
  • Describe scheduled reports
  • Configure scheduled reports
  • Describe alerts
  • Create alerts
  • View fired alerts
• Using Pivot
  • Describe Pivot
  • Understand the relationship between data models and pivot
  • Select a data model object
  • Create a pivot report
  • Create an instant pivot from a search
  • Add a pivot report to a dashboard
• SIEM with Tactical Analytics
• SIEM Architecture
  • State of the SOC/SIEM
  • Log Monitoring
  • Logging architecture
  • SIEM platforms
  • Planning a SIEM
  • SIEM Architecture
  • Ingestion techniques and nodes
  • Data queuing and resiliency
  • Storage and speed
  • Analytical reporting
    • Visualizations
    • Detection Dashboards
• Service Profiling With SIEM
  • Detection methods and relevance to log analysis
    • Attacker patterns
    • Attacker behaviors
    • Abnormalities
  • Analyzing common application logs that generate tremendous amounts of data
  • DNS
    • Finding new domains being accessed
    • Pulling in addition information such as domain age
    • Finding randomly named domains
    • Discover domain shadowing techniques
    • Identifying recon
    • Find DNS C2 channels
  • HTTP
    • Use large datasets to find attacks
    • Identify bot traffic hiding in the clear
    • Discover requests that users do not make
    • Find ways to filter out legitimate noise
    • Use attacker randomness against them
    • Identify automated activity vs user activity
    • Filter approved web clients vs unauthorized
    • Find HTTP C2 channels
  • HTTPS
    • Alter information for large scale analysis
    • Analyze certificate fields to identify attack vectors
    • Track certificate validity
    • Apply techniques that overlap with standard HTTP
    • Find HTTPS C2 channels
  • SMTP
    • Identify where unauthorized email is coming from
    • Find compromised mail services
    • Fuzzy matching likely phishing domains
    • Data exfiltration detectionAbnormalities
  • Apply threat intelligence to generic network logs
  • Active Dashboards and Visualizations
    • Correlate network datasets
    • Build frequency analysis tables
    • Establish network baseline activity
• Advanced Endpoint Analytics
  • Endpoint logs
  • Understanding value
    • Methods of collection
    • Agents
    • Agentless
    • Scripting
  • Adding additional logging
    • EMET
    • Sysmon
    • Group Policy
  • Windows filtering and tuning
  • Analyze critical events based on attacker patterns
    • Finding signs of exploitation
    • Find signs of internal reconnaissance
    • Finding persistence
    • Privilege escalation
    • Establishing a foothold
    • Cleaning up track
  • Host-based firewall logs
    • Discover internal pivoting
    • Identify unauthorized listening executables
    • See scan activity
  • Credential theft and reuse
    • Multiple failed logons
    • Unauthorized account use
  • Monitor PowerShell
    • Configure PowerShell logging
    • Identify obfuscation
    • Identify modern attacks
  • Containers
    • Logging methods
    • Monitoring
• Baselining and user Behavior Monitoring
  • Identify authorized and unauthorized assets
  • Active asset discovery
    • Scanners
    • Network Access Control
  • Passive asset discovery
    • DHCP
    • Network listeners such as p0f, bro, and prads
    • NetFlow
    • Switch CAM tables
  • Combining asset inventory into a master list
  • Adding contextual information
    • Vulnerability data
    • Authenticated device vs unauthenticated device
  • Identify authorized and unauthorized software
  • Source collection
    • Asset inventory systems
    • Patching management
    • Whitelisting solutions
    • Process monitoring
    • Discovering unauthorized software
  • Baseline data
  • Network data (from netflow, firewalls, etc)
    • Use outbound flows to discover unauthorized use or assets
    • Compare expected inbound/outbound protocol
    • Find persistence and beaconing
    • Utilize geolocation and reverse dns lookups
    • Establish device-to-device relationships
    • Identify lateral movement
    • Configure outbound communication thresholds
  • Monitor logons based on patterns
  • Time-based
  • Concurrency of logons
    • logons by user
    • logons by source device
    • Multiple geo locations
  • Endpoint baseline monitoring
    • Configure enterprise wide baseline collection
    • Large scale persistence monitoring
    • Finding abnormal local user accounts
    • Discover dual-homed devices
• Tactical SIEM Detection and Post-Mortem Analysis
  • Centralize NIDS and HIDS alerts
  • Analyze endpoint security logs
    • Provide alternative analysis methods
    • Configure tagging to facilitate better reporting
  • Augment intrusion detection alerts
    • Extract CVE, OSVDB, etc for further context
    • Pull in rule info and other info such as geo
  • Analyze vulnerability information
    • Setup vulnerability reports
    • Correlate CVE, OSVDB, and other unique IDs with IDS alerts
    • Prioritize IDS alerts based on vulnerability context
  • Correlate malware sandbox logs with other systems to identify victims across enterprise
  • Monitor Firewall Activity
    • Identify scanning activity on inbound denies
    • Apply auto response based on alerts
    • Find unexpected outbound traffic
    • Baseline allow/denies to identify unexpected changes
    • Apply techniques to filter out noise in denied traffic
  • SIEM tripwires
  • Configure systems to generate early log alerts after compromise
    • Identify file and folder scan activity
    • Identify user token stealing
    • Operationalize virtual honeypots with central logging
    • Allow phone home tracking
  • Post mortem analysis
  • Re-analyze network traffic
    • Identify malicious domains and IPs
    • Look for beaconing activity
• Introduction and Configuration Splunk Enterprise Security (SIEM)
• Getting Started with ES
  • Describe the features and capabilities of Splunk Enterprise Security (ES)
  • Explain how ES helps security practitioners prevent, detect, and respond to threats
  • Describe correlation searches, data models, and notable events
  • Describe user roles in ES
• Security Monitoring and Incident Investigation
  • Use the Security Posture dashboard to monitor ES status
  • Use the Incident Review dashboard to investigate notable events
  • Take ownership of an incident and move it through the investigation workflow
  • Create notable events
  • Suppress notable events
• Risk-Based Alerting
  • Give an overview of Risk-Based Alerting
  • View Risk Notables and risk information on the Incident Review dashboard
  • Explain risk scores and how to change an object’s risk score
  • Review the Risk Analysis dashboard
  • Describe annotations
  • Describe the process for retrieving LDAP data for an asset or identity lookup
• Investigations
  • Use investigations to manage incident response activity
  • Use the Investigation Workbench to manage, visualize and coordinate incident investigations
  • Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)
  • Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts
• Using Security Domain Dashboards
  • Use ES to inspect events containing information relevant to active or past incident investigation
  • Identify security domains in ES
  • Use ES security domain dashboards
  • Launch security domain dashboards from Incident Review and from action menus in search results

گواهینامه‌ی دوره