SOC Tier 1 Operations Zero to Hero
- متوسط
- مسیر آبی
- ۴۳ درس
نام دوره: SOC Tier 1 Operations Zero to Hero
دربارهی این دوره
- عملیات امنیت و مانیتورینگ
- تحلیل ترافیک
- مبانی کار با Splunk مبتنی بر دورهی Splunk Fund 1
- تحلیل SIEM و تیم آبی
این دوره به چه افرادی توصیه میشود؟
- تحلیلگران و مهندسین لایهی اول SOC
- علاقهمندان به امنیت سایبری
- فارغالتحصیلان رشته فناوری اطلاعات
- افرادی که در پوزیشنهای Help Desk و ادمین شبکه فعالیت میکنند
برای حضور در این دوره چه دانشهایی باید داشته باشم؟
- آشنایی با مفاهیم حملات سایبری
- آشنایی با مفاهیم سیستمعاملهای ویندوز و لینوکس
- آشنایی با مفاهیم شبکه و پروتکلها
سرفصلهای دوره
-
Incident Response and Cyber Investigations
-
Incident Response
-
Case study: Argous Corporation compromise
-
Dynamic Approach to Incident Response
-
Investigative analysis: Examining incident evidence
-
-
Digital Investigations
-
Techniques for digital investigation
-
Establishing an incident timeline
-
Investigation efficiency: Data reduction
-
-
Live Examination
-
Identifying suspicious Windows processes
-
Correlating network and persistence activity
-
Enumerating Windows auto-start extensibility points
-
Leveraging Sysinternals for live Windows examinations
-
-
Network Investigations
-
Identifying compromised host beaconing with proxy server logs
-
Filtering network activity to identify indicators of compromise
-
Assessing encrypted network traffic with multiple data sources
-
Building the incident timeline
-
-
Network Investigations
-
Memory Investigations
-
Conducting offline analysis of attacker persistence Cyberscope and SCAP
-
Using Volatility to inspect attacker malware
-
-
Malware Investigations
-
Assessing attacker malware in a custom test environment
-
Using snapshot and continuous recording tools
-
Inspecting malware actions with RegShot and Procmon
-
Identifying malicious code on Windows
-
-
Continuous Monitoring and Security Operations
-
Current State Assessment, Security Operations Centers, and Security Architecture
-
Traditional Security Architecture
-
Perimeter-focused
-
Addressed Layer 3/4
-
Centralized Information Systems
-
Prevention-Oriented
-
Device-driven
-
Traditional Attack Techniques
-
-
Introducing Security Onion 2.X
-
Alerts Menu
-
Pivoting to the Hunt Menu
-
The PCAP Menu
-
-
Modern Security Architecture Principles
-
Detection-oriented
-
Post-Exploitation-focused
-
Decentralized Information Systems/Data
-
Risk-informed
-
Layer 7 Aware
-
Security Operations Centers
-
Network Security Monitoring
-
Continuous Security Monitoring
-
Modern Attack Techniques
-
Adversarial Dominance
-
MITRE ATT&CK®
-
-
Security Architecture – Key Techniques/Practices and Defensible Network Security Architecture Principles Applied
-
Threat Vector Analysis
-
Data Exfiltration Analysis
-
Detection Dominant Design
-
Intrusion Kill Chain
-
Visibility Analysis
-
Lateral Movement Analysis
-
Data Ingress/Egress Mapping
-
Internal Segmentation
-
Zero Trust Architecture (Kindervag)
-
Data Visualization
-
Network Security Monitoring
-
Continuous Security Monitoring
-
-
-
Network Security Architecture
-
SOCs/Security Architecture – Key Infrastructure Devices
-
Traditional and Next- Generation Firewalls, and NIPS
-
Web Application Firewall
-
Malware Detonation Devices
-
HTTP Proxies, Web Content Filtering, and SSL/TLS Decryption
-
SIEMs, NIDS, Packet Captures, and DLP
-
Honeypots/Honeynets
-
Network Infrastructure – Routers, Switches, DHCP, DNS
-
Threat Intelligence
-
-
Segmented Internal Networks
-
Routers
-
Internal SI Firewalls
-
VLANs
-
Detecting the Pivot
-
DNS architecture
-
Encrypted DNS including DNS over HTTPS (DoH) and DNS over TLS (DoT)
-
-
-
Network Security Monitoring
-
Evolution of NSM
-
The NSM Toolbox
-
NIDS Design
-
Analysis Methodology
-
Understanding Data Sources
-
Full Packet Capture
-
Extracted Data
-
String Data
-
Flow Data
-
Transaction Data
-
Statistical Data
-
Alert Data
-
Tagged Data
-
Correlated Data
-
-
Practical NSM Issues
-
Cornerstone NSM
-
Service-Side and Client-Side Exploits
-
Identifying High-Entropy Strings
-
Tracking EXE Transfers
-
Identifying Command and Control (C2) Traffic
-
Tracking User Agents
-
C2 via HTTPS
-
Tracking Encryption Certificates
-
Detecting Malware via JA3
-
-
Detecting Cobalt Strike
-
Criminal Usage of Cobalt Strike
-
Malleable C2
-
Cobalt Strikes x.509 Certificates
-
-
-
Endpoint Security Architecture
-
Endpoint Security Architecture
-
Endpoint Protection Platforms
-
Endpoint Detection Response
-
Authentication Protection/Detection
-
Configuration Management/Monitoring
-
-
Endpoint Protection
-
TPM: Device Health Attestation
-
Host-based Firewall, Host-based IDS/IPS
-
Application Control, Application Virtualization
-
Virtualization Based Security
-
Microsoft Defender: Application Guard
-
Windows Defender: Credential Guard
-
Defender for Endpoint: Attack Surface Reduction
-
EMET and Defender Exploit Guard
-
-
Endpoint Detection Windows – Sysmon
-
FileDelete, ProcessTampering, and other recent additions
-
IMPHASH
-
DeepBlueHash
-
-
Authentication Protection and Detection
-
Privileged Account Monitoring
-
Dynamic Lock
-
PIN-Only Authentication
-
Hash/Ticket/Token Attacks
-
-
-
Automation and Continuous Security Monitoring
-
Industry Best Practices
-
Continuous Monitoring and the 20 CIS Critical Security Controls
-
Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions
-
-
Winning CSM Techniques
-
Long Tail Analysis
-
Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents
-
The ASD Essential Eight
-
-
Maintaining Situational Awareness
-
Host, Port, and Service Discovery
-
Vulnerability Scanning
-
Monitoring Patching
-
Monitoring Applications
-
Monitoring Service Logs
-
Detecting Malware via DNS logs
-
Detecting DNS Tunneling via Iodine and dnscat2
-
Domain_stats and Registration Data Access Protocol (RDAP)
-
-
Monitoring Change to Devices and Appliances
-
Leveraging Proxy and Firewall Data
-
Configuring Centralized Windows Event Log Collection
-
Monitoring Critical Windows Events
-
Hands-on: Detecting Malware via Windows Event Logs
-
-
Scripting and Automation
-
Importance of Automation
-
PowerShell
-
DeepBlueCLI
-
-
-
Network Traffic Analysis Cyber Security Threat Detection
-
Introduction to Traffic Analysis
-
Traffic Analysis Overview
-
OSI Model
-
TCP/IP Model
-
Communication Models
-
Traffic Analysis for Offense
-
Traffic Analysis for Defense
-
Terminology
-
Port SPAN (Mirroring)
-
Man In The Middle (MITM)
-
Full packet Capture
-
NetFlow
-
-
-
-
Wireshark Basics
-
Wireshark Overview
-
Wireshark Filters
-
Wireshark Tips
-
Decoding
-
Field Extraction
-
Exporting of results
-
Wireshark investigation of an incident
-
Practical Wireshark uses for analyzing
-
-
Hunting Information form Packets
-
DNS
-
Internal Routing Protocols
-
HTTP/HTTPS
-
NetBIOS
-
SNMP
-
DHCP
-
SMB
-
SMTP
-
ICMP
-
FTP
-
-
Intrusion Detection by Traffic Analysis
-
Analyzing & Detecting Link Layer Attacks
-
Analyzing & Detecting IP Layer Attacks
-
Analyzing & Detecting Transport Layer Attacks
-
Analyzing Common Application Protocol Traffic & Attacks
-
Introduction to Open Source IDS Solutions
-
Introduction Zeek and RITA
-
Using Zeek and RITA to find Evil
-
-
-
Tshark basics And TCPdump
-
Tshark Overview
-
Tshark Filters
-
Exporting of Results
-
Pipelining with other Tools
-
-
Blue Team Fundamentals: Security Operations and Analysis
-
Blue Team Tools and Operations
-
Introduction to the Blue Team Mission
-
What is a SOC? What is the mission?
-
Why are we being attacked?
-
Modern defense mindset
-
The challenges of SOC work
-
-
SOC Overview
-
The people, process, and technology of a SOC
-
Aligning the SOC with your organization
-
SOC functional component overview
-
Tiered vs. tierless SOCs
-
Important operational documents
-
-
Defensible Network Concepts
-
Understanding what it takes to be defensible
-
Network security monitoring (NSM) concepts
-
NSM event collection
-
NSM by network layer
-
Continuous security monitoring (CSM) concepts
-
CSM event collection
-
Monitoring sources overview
-
Data centralization
-
-
Events, Alerts, Anomalies, and Incidents
-
Event collection
-
Event log flow
-
Alert collection
-
Alert triage and log flow
-
Signatures vs. anomalies
-
Alert triage workflow and incident creation
-
-
Incident Management Systems
-
SOC data organization tools
-
Incident management systems options and features
-
Data flow in incident management systems
-
Case creation, alerts, observables, playbooks, and workflow
-
Case and alert naming convention
-
Incident categorization framework
-
-
Threat Intelligence Platforms
-
What is cyber threat intelligence?
-
Threat data vs. information vs. intelligence
-
Threat intel platform options, features, and workflow
-
Event creation, attributes, correlation, and sharing
-
-
SIEM
-
Benefits of data centralization
-
SIEM options and features
-
SIEM searching, visualizations, and dashboards
-
Use cases and use case databases
-
-
Automation and Orchestration
-
How SOAR works and benefits the SOC
-
Options and features
-
SOAR value-adds and API interaction
-
Data flow between SOAR and the SIEM, incident management system, and threat intelligence platform
-
-
Who Are Your Enemies?
-
Who’s attacking us and what do they want?
-
Opportunistic vs. targeted attackers
-
Hacktivists, insiders, organized crime, governments
-
Motivation by attacker group
-
Case studies of different attack groups
-
Attacker group naming conventions
-
-
-
-
-
-
Understanding Your Network
-
Corporate Network Architecture
-
Traffic Capture and Analysis
-
Understanding DNS
-
DNS analysis and attacks
-
Understanding HTTP and HTTPS
-
Analyzing HTTP for Suspicious Activity
-
How SMTP and Email Attacks Work
-
Additional Important Protocols
-
SMB – versions and typical attacks
-
DHCP for defenders
-
ICMP and how it is abused
-
FTP and attacks
-
SSH and attacks
-
PowerShell remoting
-
-
-
Understanding Endpoints, Logs, and Files
-
Endpoint Attack Tactics
-
Endpoint attack centricity
-
Initial exploitation
-
Service-side vs client-side exploits
-
Post-exploitation tactics, tools, and explanations – execution, persistence, discovery, privilege escalation, credential access, lateral movement, collection, exfiltration
-
-
Endpoint Defense In-Depth
-
Network scanning and software inventory
-
Vulnerability scanning and patching
-
Anti-exploitation
-
Whitelisting
-
Host intrusion prevention and detection systems
-
Host firewalls
-
File integrity monitoring
-
Privileged access workstations
-
Windows privileges and permissions
-
Endpoint detection and response tools (EDR)
-
File and drive encryption
-
Data loss prevention
-
User and entity behavior analytics (UEBA)
-
-
How Windows Logging Works
-
Channels, event IDs, and sources
-
XML format and event templates
-
Log collection path
-
Channels of interest for tactical data collection
-
-
How Linux Logging Works
-
Syslog log format
-
Syslog daemons
-
Syslog network protocol
-
Log collection path
-
Systemd journal
-
Additional command line auditing options
-
Application logging
-
Service vs. system logs
-
-
Interpreting Important Events
-
Windows and Linux login events
-
Process creation logs for Windows and Linux
-
Additional activity monitoring
-
Firewall events
-
Object and file auditing
-
Service creation and operation logging
-
New scheduled tasks
-
USB events
-
User creation and modification
-
Windows Defender events
-
PowerShell logging
-
Kerberos and Active Directory Events
-
Authentication and the ticket-granting service
-
Kerberos authentication steps
-
Kerberos log events in detail
-
-
Log Collection, Parsing, and Normalization
-
Logging pipeline and collection methods
-
Windows vs. Linux log agent collection options
-
Parsing unstructured vs. structured logs
-
SIEM-centric formats
-
Efficient searching in your SIEM
-
The role of parsing and log enrichment
-
Log normalization and categorization
-
Log storage and retention lifecycle
-
-
Files Contents and Identification
-
File contents at the byte level
-
How to identify a file by the bytes
-
Magic bytes
-
Nested files
-
Strings – uses, encoding options, and viewing
-
-
Identifying and Handling Suspicious Files
-
Safely handling suspicious files
-
Dangerous files types
-
Exploits vs. program “features”
-
Exploits vs. Payloads
-
Executables, scripts, office docs, RTFs, PDFs, and miscellaneous exploits
-
Hashing and signature verification
-
Signature inspection and safety of verified files
-
Inspection methods, detecting malicious scripts and other files
-
-
-
Triage and Analysis
-
Alert Triage and Prioritization
-
Priority for triage
-
Spotting late-stage attacks
-
Attack lifecycle models
-
Spotting exfiltration and destruction attempts
-
Attempts to access sensitive users, hosts, and data
-
Targeted attack identification
-
Lower-priority alerts
-
Alert validation
-
-
Perception, Memory, and Investigation
-
The role of perception and memory in observation and analysis
-
Working within the limitations of short-term memory
-
Efficiently committing info to long-term memory
-
Decomposition and externalization techniques
-
The effects of experience on speed and creativity
-
-
Perception, Memory, and Investigation
-
The role of perception and memory in observation and analysis
-
Working within the limitations of short-term memory
-
Efficiently committing info to long-term memory
-
Decomposition and externalization techniques
-
The effects of experience on speed and creativity
-
-
Mental Models for Information Security
-
Network and file encapsulation
-
Cyber kill chain
-
Defense-in-depth
-
NIST cybersecurity framework
-
Incident response cycle
-
Threat intelligence levels, models, and uses
-
F3EAD
-
Diamond model
-
The OODA loop
-
Attack modeling, graph/list thinking, attack trees
-
Pyramid of pain
-
MITRE ATT&CK
-
-
Structured Analysis Techniques
-
Compensating for memory and perception issues via structured analysis
-
System 1 vs. System 2 thinking and battling tacit knowledge
-
Data-driven vs. concept-driven analysis
-
Structured analytic techniques
-
Idea generation and creativity, hypothesis development
-
Confirmation bias avoidance
-
Analysis of competing hypotheses
-
Diagnostic reasoning
-
Link analysis, event matrices
-
-
Analysis Questions and Tactics
-
Where to start – breaking down an investigation
-
Alert validation techniques
-
Sources of network and host information
-
Data extraction
-
OSINT sources
-
Data interpretation
-
Assessing strings, files, malware artifacts, email, links
-
-
Analysis OPSEC
-
OPSEC vs. your threat model
-
Traffic light protocol and intel sharing
-
Permissible action protocol
-
Common OPSEC failures and how to avoid them
-
-
Intrusion Discovery
-
Dwell time and intrusion type
-
Determining attacker motivation
-
Assessing business risk
-
Choosing an appropriate response
-
Reacting to opportunistic/targeted attacks
-
Common missteps in incident response
-
-
Incident Closing and Quality Review
-
Steps for closing incidents
-
Quality review and peer feedback
-
Analytical completeness checks
-
Closed case classification
-
Attribution
-
Maintaining quality over time
-
Premortem and challenge analysis
-
Peer review, red team, team A/B analysis, and structured self-critique
-
-
-
-
Continuous Improvement, Analytics, and Automation
-
Improving Life in the SOC
-
Expectations vs. common reality
-
Burnout and stress avoidance
-
Improvement through SOC human capital theory
-
The role of automation, operational efficiency, and metrics in burnout
-
Other common SOC issues
-
-
Analytic Features and Enrichment
-
Goals of analytic creation
-
Log features and parsing
-
High-feature vs. low-feature logs
-
Improvement through SIEM enrichment
-
External tools and other enrichment sources
-
-
New Analytic Design, Testing, and Sharing
-
Tolerance to false positives/negatives
-
The false positive paradox
-
Types of analytics
-
Feature selection for analytics
-
Matching with threat intel
-
Regular expressions
-
Common matching and rule logic options
-
Analytic generalization and sharing with Sigma
-
-
Tuning and False Positive Reduction
-
Dealing with alerts and runaway alert queues
-
How many analysts should you have?
-
Types of poor alerts
-
Tuning strategy for poor alert types
-
Tuning via log field analysis
-
Using policy to raise fidelity
-
Sensitivity vs. specificity
-
Automation and fast lanes
-
-
Automation and Orchestration
-
The definition of automation vs. orchestration
-
What is SOAR?
-
SOAR product considerations
-
Common SOAR use cases
-
Enumeration and enrichment
-
Response actions
-
Alert and case management
-
The paradox of automation
-
DIY scripting
-
-
Improving Operational Efficiency and Workflow
-
Micro-automation
-
Form filling
-
Text expanders
-
Email templates
-
Smart keywords
-
Browser plugins
-
Text caching
-
JavaScript page modification
-
OS Scripting
-
-
Containing Identified Intrusions
-
Containment and analyst empowerment
-
Isolation options across network layers – physical, link, network, transport, application
-
DNS firewalls, HTTP blocking and containment, SMTP, Web Application Firewalls
-
Host-based containment tools
-
-
-
Splunk fundamental 1
-
Introduction
-
Overview of Buttercup Games Inc.
-
-
What is Splunk?
-
Splunk components
-
Installing Splunk
-
Getting data into Splunk
-
-
Introduction to Splunk’s User Interface
-
Understand the uses of Splunk
-
Define Splunk Apps
-
Customizing your user settings
-
Learn basic navigation in Splunk
-
-
Basic Searching
-
Run basic searches
-
Use autocomplete to help build a search
-
Set the time range of a search
-
Identify the contents of search results
-
Refine searches
-
Use the timeline
-
Work with events
-
Control a search job
-
Save search results
-
-
Using Fields in Searches
-
Understand fields
-
Use fields in searches
-
Use the fields sidebar
-
-
Search Language Fundamentals
-
Review basic search commands and general search practices
-
Examine the search pipeline
-
Specify indexes in searches
-
Use autocomplete and syntax highlighting
-
Use SPL search commands to perform searches
-
-
-
Using Basic Transforming Commands
-
The top command
-
The rare command
-
The stats command
-
-
Creating Reports and Dashboards
-
Save a search as a report
-
Edit reports
-
Create reports that include visualizations such as charts and tables
-
Create a dashboard
-
Add a report to a dashboard
-
Edit a dashboard
-
-
Datasets and the Common Information Model
-
Naming conventions
-
What are datasets?
-
What is the Common Information Model (CIM)?
-
-
Creating and Using Lookups
-
Describe lookups
-
Create a lookup file and create a lookup definition
-
Configure an automatic lookup
-
-
Creating Scheduled Reports and Alerts
-
Describe scheduled reports
-
Configure scheduled reports
-
Describe alerts
-
Create alerts
-
View fired alerts
-
-
Using Pivot
-
Describe Pivot
-
Understand the relationship between data models and pivot
-
Select a data model object
-
Create a pivot report
-
Create an instant pivot from a search
-
Add a pivot report to a dashboard
-
-
-
SIEM with Tactical Analytics
-
SIEM Architecture
-
State of the SOC/SIEM
-
Log Monitoring
-
Logging architecture
-
SIEM platforms
-
Planning a SIEM
-
SIEM Architecture
-
Ingestion techniques and nodes
-
Data queuing and resiliency
-
Storage and speed
-
Analytical reporting
-
Visualizations
-
Detection Dashboards
-
-
-
Service Profiling With SIEM
-
Detection methods and relevance to log analysis
-
Attacker patterns
-
Attacker behaviors
-
Abnormalities
-
-
Analyzing common application logs that generate tremendous amounts of data
-
DNS
-
Finding new domains being accessed
-
Pulling in addition information such as domain age
-
Finding randomly named domains
-
Discover domain shadowing techniques
-
Identifying recon
-
Find DNS C2 channels
-
-
-
HTTP
-
Use large datasets to find attacks
-
Identify bot traffic hiding in the clear
-
Discover requests that users do not make
-
Find ways to filter out legitimate noise
-
Use attacker randomness against them
-
Identify automated activity vs user activity
-
Filter approved web clients vs unauthorized
-
Find HTTP C2 channels
-
-
HTTPS
-
Alter information for large scale analysis
-
Analyze certificate fields to identify attack vectors
-
Track certificate validity
-
Apply techniques that overlap with standard HTTP
-
Find HTTPS C2 channels
-
-
SMTP
-
Identify where unauthorized email is coming from
-
Find compromised mail services
-
Fuzzy matching likely phishing domains
-
Data exfiltration detectionAbnormalities
-
-
Apply threat intelligence to generic network logs
-
Active Dashboards and Visualizations
-
Correlate network datasets
-
Build frequency analysis tables
-
Establish network baseline activity
-
-
-
Advanced Endpoint Analytics
-
Endpoint logs
-
Understanding value
-
Methods of collection
-
Agents
-
Agentless
-
Scripting
-
-
Adding additional logging
-
EMET
-
Sysmon
-
Group Policy
-
-
Windows filtering and tuning
-
Analyze critical events based on attacker patterns
-
Finding signs of exploitation
-
Find signs of internal reconnaissance
-
Finding persistence
-
Privilege escalation
-
Establishing a foothold
-
Cleaning up track
-
-
-
Host-based firewall logs
-
Discover internal pivoting
-
Identify unauthorized listening executables
-
See scan activity
-
-
Credential theft and reuse
-
Multiple failed logons
-
Unauthorized account use
-
-
-
Monitor PowerShell
-
Configure PowerShell logging
-
Identify obfuscation
-
Identify modern attacks
-
-
Containers
-
Logging methods
-
Monitoring
-
-
-
Baselining and user Behavior Monitoring
-
Identify authorized and unauthorized assets
-
Active asset discovery
-
Scanners
-
Network Access Control
-
-
Passive asset discovery
-
DHCP
-
Network listeners such as p0f, bro, and prads
-
NetFlow
-
Switch CAM tables
-
-
Combining asset inventory into a master list
-
Adding contextual information
-
Vulnerability data
-
Authenticated device vs unauthenticated device
-
-
Identify authorized and unauthorized software
-
Source collection
-
Asset inventory systems
-
Patching management
-
Whitelisting solutions
-
Process monitoring
-
Discovering unauthorized software
-
-
Baseline data
-
Network data (from netflow, firewalls, etc)
-
Use outbound flows to discover unauthorized use or assets
-
Compare expected inbound/outbound protocol
-
Find persistence and beaconing
-
Utilize geolocation and reverse dns lookups
-
Establish device-to-device relationships
-
Identify lateral movement
-
Configure outbound communication thresholds
-
-
Monitor logons based on patterns
-
Time-based
-
Concurrency of logons
-
logons by user
-
logons by source device
-
Multiple geo locations
-
-
Endpoint baseline monitoring
-
Configure enterprise wide baseline collection
-
Large scale persistence monitoring
-
Finding abnormal local user accounts
-
Discover dual-homed devices
-
-
-
Tactical SIEM Detection and Post-Mortem Analysis
-
Centralize NIDS and HIDS alerts
-
Analyze endpoint security logs
-
Provide alternative analysis methods
-
Configure tagging to facilitate better reporting
-
-
Augment intrusion detection alerts
-
Extract CVE, OSVDB, etc for further context
-
Pull in rule info and other info such as geo
-
-
Analyze vulnerability information
-
Setup vulnerability reports
-
Correlate CVE, OSVDB, and other unique IDs with IDS alerts
-
Prioritize IDS alerts based on vulnerability context
-
-
Correlate malware sandbox logs with other systems to identify victims across enterprise
-
Monitor Firewall Activity
-
Identify scanning activity on inbound denies
-
Apply auto response based on alerts
-
Find unexpected outbound traffic
-
Baseline allow/denies to identify unexpected changes
-
Apply techniques to filter out noise in denied traffic
-
-
-
SIEM tripwires
-
Configure systems to generate early log alerts after compromise
-
Identify file and folder scan activity
-
Identify user token stealing
-
Operationalize virtual honeypots with central logging
-
Allow phone home tracking
-
-
Post mortem analysis
-
Re-analyze network traffic
-
Identify malicious domains and IPs
-
Look for beaconing activity
-
-
-
Introduction and Configuration Splunk Enterprise Security (SIEM)
-
Getting Started with ES
-
Describe the features and capabilities of Splunk Enterprise Security (ES)
-
Explain how ES helps security practitioners prevent, detect, and respond to threats
-
Describe correlation searches, data models, and notable events
-
Describe user roles in ES
-
-
Security Monitoring and Incident Investigation
-
Use the Security Posture dashboard to monitor ES status
-
Use the Incident Review dashboard to investigate notable events
-
Take ownership of an incident and move it through the investigation workflow
-
Create notable events
-
Suppress notable events
-
-
Risk-Based Alerting
-
Give an overview of Risk-Based Alerting
-
View Risk Notables and risk information on the Incident Review dashboard
-
Explain risk scores and how to change an object’s risk score
-
Review the Risk Analysis dashboard
-
Describe annotations
-
Describe the process for retrieving LDAP data for an asset or identity lookup
-
-
Investigations
-
Use investigations to manage incident response activity
-
Use the Investigation Workbench to manage, visualize and coordinate incident investigations
-
Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)
-
Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts
-
-
Using Security Domain Dashboards
-
Use ES to inspect events containing information relevant to active or past incident investigation
-
Identify security domains in ES
-
Use ES security domain dashboards
-
Launch security domain dashboards from Incident Review and from action menus in search results
-
گواهینامهی دوره
