SOC Tier 1 Operations Zero to Hero
SOC Tier 1 Operations Zero to Hero
پس از پرداخت اطلاعات به ایمیل شما ارسال خواهد شد
- متوسط
- مسیر آبی
- ۵۰ درس
دربارهی این دوره
تماشای ویدیوی جلسهی صفر دوره
در عصر حاضر با پیشرفت سریع فناوری و تهدیدهای روزمرهی آن، مشاغل بزرگ و کوچک باید از اطلاعات حساس خود مانند دادههای مشتریان، کارمندان، شرکا، اسناد سازمانی و سایر موارد در برابر افراد خرابکار و مهاجمان سایبری محافظت کنند. اما از طرف دیگر با افزایش تعداد مهاجمان سایبری و پیچیدهتر شدن حملهها در دنیا، این محافظت به یک موضوع روزبهروز چالشبرانگیزتر تبدیل شده است. امنیت سایبری در سالهای اخیر در کنار جلوگیری و پیشگیری از حملهها، بر روی شناسایی تهدیدها و حملههای سایبری در زیرساخت متمرکز شده است. در گذشته اگر نفوذگر موفق به دور زدن راهکارهای امنیتی بازدارندهی قربانی میشد، دیگر مانع بزرگی در مسیر خود نمیدید و میتوانست هفتهها یا ماهها در شبکهی قربانی به گردش و جستوجو پرداخته و دادههای محرمانهی قربانی را از شبکه استخراج یا حتی این دادههای سرقتی را در طول زمان بهروزرسانی کند. همین امر موجب شد تا سازمانها به راهکارهای جدید و پیچیدهتری برای مقابله با نفوذگران در مرحلهی پس از نفوذ، روی بیاورند. در همین راستا یکی از راهکارهای اساسی که مورد استقبال سازمانهای دنیا قرار گرفت، راهاندازی مراکز عملیات امنیت (SOC) بود. در واقع یکی از مهمترین وظایف مرکز عملیات امنیت، شناسایی و پاسخ به انواع تهدیدهای سایبری با بهرهگیری از متخصصان در سطوح مختلف است. اما برخلاف موارد ذکرشده، یکی از مهمترین چالشهای مراکز عملیات امنیت در دنیا، کمبود نیروی متخصص در لایههای مختلف این مراکز است. این چالش در ایران نیز به مراتب پررنگتر از بسیاری کشورها وجود دارد. این دورهی جامع با هدف آموزش دانش مورد نیاز برای تبدیل شدن به کارشناس لایهی یک در مراکز عملیات امنیت، با چهار ماژول اصلی به شرح زیر ارائه شده است:
- عملیات امنیت و مانیتورینگ
- تحلیل ترافیک
- مبانی کار با Splunk مبتنیبر دورهی Splunk Fund 1
- تحلیل SIEM و تیم آبی
این دوره شامل حداقل ۱۰۰ ساعت محتوای آموزشی است که بهصورت آفلاین (ویدیویی) در اختیار شما قرار خواهد گرفت. همچنین، بهصورت متناوب، جلسههای آنلاین توسط مدرس دوره یا TAها برای هرگونه رفع اشکال و پرسشوپاسخ برگزار خواهد شد و گروه تلگرامی برای ارتباط مستقیم با مدرسها خواهید داشت. در مجموع بیشاز ۱۲۰ ساعت محتوای آموزشی و پشتیبانی برای این دوره پیشبینی شده است.
تاکنون بیشاز ۲۰۰ نفر در این دوره شرکت کردهاند و در تمام سال، امکان خرید و پیوستن به گروه پشتیبانی آن را خواهید داشت.
این دوره به چه افرادی توصیه میشود؟
- تحلیلگران و مهندسان لایهی اول SOC
- علاقهمندان به امنیت سایبری
- دانشجویان و فارغالتحصیلان رشتههای فناوری اطلاعات
- افراد فعال در پوزیشنهای Help Desk و ادمین شبکه
برای حضور در این دوره چه دانشهایی باید داشته باشم؟
- آشنایی با مفاهیم حملههای سایبری
- آشنایی با مفاهیم سیستمعاملهای ویندوز و لینوکس
- آشنایی با مفاهیم شبکه و پروتکلها
سرفصلهای دوره
-
Incident Response and Cyber Investigations
-
Incident Response
-
Case study: Argous Corporation compromise
-
Dynamic Approach to Incident Response
-
Investigative analysis: Examining incident evidence
-
-
Digital Investigations
-
Techniques for digital investigation
-
Establishing an incident timeline
-
Investigation efficiency: Data reduction
-
-
Live Examination
-
Identifying suspicious Windows processes
-
Correlating network and persistence activity
-
Enumerating Windows auto-start extensibility points
-
Leveraging Sysinternals for live Windows examinations
-
-
Network Investigations
-
Identifying compromised host beaconing with proxy server logs
-
Filtering network activity to identify indicators of compromise
-
Assessing encrypted network traffic with multiple data sources
-
Building the incident timeline
-
-
Memory Investigations
-
Memory Investigations
-
Conducting offline analysis of attacker persistence Cyberscope and SCAP
-
Using Volatility to inspect attacker malware
-
-
Malware Investigations
-
Assessing attacker malware in a custom test environment
-
Using snapshot and continuous recording tools
-
Inspecting malware actions with RegShot and Procmon
-
Identifying malicious code on Windows
-
-
Continuous Monitoring and Security Operations
-
Current State Assessment, Security Operations Centers, and Security Architecture
-
Traditional Security Architecture
-
Perimeter-focused
-
Addressed Layer 3/4
-
Centralized Information Systems
-
Prevention-Oriented
-
Device-driven
-
Traditional Attack Techniques
-
-
Introducing Security Onion 2.X
-
Alerts Menu
-
Pivoting to the Hunt Menu
-
The PCAP Menu
-
-
Modern Security Architecture Principles
-
Detection-oriented
-
Post-Exploitation-focused
-
Decentralized Information Systems/Data
-
Risk-informed
-
Layer 7 Aware
-
Security Operations Centers
-
Network Security Monitoring
-
Continuous Security Monitoring
-
Modern Attack Techniques
-
Adversarial Dominance
-
MITRE ATT&CK®
-
-
Security Architecture – Key Techniques/Practices and Defensible Network Security Architecture Principles Applied
-
Threat Vector Analysis
-
Data Exfiltration Analysis
-
Detection Dominant Design
-
Intrusion Kill Chain
-
Visibility Analysis
-
Lateral Movement Analysis
-
Data Ingress/Egress Mapping
-
Internal Segmentation
-
Zero Trust Architecture (Kindervag)
-
Data Visualization
-
Network Security Monitoring
-
Continuous Security Monitoring
-
-
-
Network Security Architecture
-
SOCs/Security Architecture – Key Infrastructure Devices
-
Traditional and Next- Generation Firewalls, and NIPS
-
Web Application Firewall
-
Malware Detonation Devices
-
HTTP Proxies, Web Content Filtering, and SSL/TLS Decryption
-
SIEMs, NIDS, Packet Captures, and DLP
-
Honeypots/Honeynets
-
Network Infrastructure – Routers, Switches, DHCP, DNS
-
Threat Intelligence
-
-
Segmented Internal Networks
-
Routers
-
Internal SI Firewalls
-
VLANs
-
Detecting the Pivot
-
DNS architecture
-
Encrypted DNS including DNS over HTTPS (DoH) and DNS over TLS (DoT)
-
-
-
Network Security Monitoring
-
Evolution of NSM
-
The NSM Toolbox
-
NIDS Design
-
Analysis Methodology
-
Understanding Data Sources
-
Full Packet Capture
-
Extracted Data
-
String Data
-
Flow Data
-
Transaction Data
-
Statistical Data
-
Alert Data
-
Tagged Data
-
Correlated Data
-
-
Practical NSM Issues
-
Cornerstone NSM
-
Service-Side and Client-Side Exploits
-
Identifying High-Entropy Strings
-
Tracking EXE Transfers
-
Identifying Command and Control (C2) Traffic
-
Tracking User Agents
-
C2 via HTTPS
-
Tracking Encryption Certificates
-
Detecting Malware via JA3
-
-
Detecting Cobalt Strike
-
Criminal Usage of Cobalt Strike
-
Malleable C2
-
Cobalt Strikes x.509 Certificates
-
-
-
Endpoint Security Architecture
-
Endpoint Security Architecture
-
Endpoint Protection Platforms
-
Endpoint Detection Response
-
Authentication Protection/Detection
-
Configuration Management/Monitoring
-
-
Endpoint Protection
-
TPM: Device Health Attestation
-
Host-based Firewall, Host-based IDS/IPS
-
Application Control, Application Virtualization
-
Virtualization Based Security
-
Microsoft Defender: Application Guard
-
Windows Defender: Credential Guard
-
Defender for Endpoint: Attack Surface Reduction
-
EMET and Defender Exploit Guard
-
-
Endpoint Detection Windows – Sysmon
-
FileDelete, ProcessTampering, and other recent additions
-
IMPHASH
-
DeepBlueHash
-
-
Authentication Protection and Detection
-
Privileged Account Monitoring
-
Dynamic Lock
-
PIN-Only Authentication
-
Hash/Ticket/Token Attacks
-
-
-
Automation and Continuous Security Monitoring
-
Industry Best Practices
-
Continuous Monitoring and the 20 CIS Critical Security Controls
-
Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions
-
-
Winning CSM Techniques
-
Long Tail Analysis
-
Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents
-
The ASD Essential Eight
-
-
Maintaining Situational Awareness
-
Host, Port, and Service Discovery
-
Vulnerability Scanning
-
Monitoring Patching
-
Monitoring Applications
-
Monitoring Service Logs
-
Detecting Malware via DNS logs
-
Detecting DNS Tunneling via Iodine and dnscat2
-
Domain_stats and Registration Data Access Protocol (RDAP)
-
-
Monitoring Change to Devices and Appliances
-
Leveraging Proxy and Firewall Data
-
Configuring Centralized Windows Event Log Collection
-
Monitoring Critical Windows Events
-
Hands-on: Detecting Malware via Windows Event Logs
-
-
Scripting and Automation
-
Importance of Automation
-
PowerShell
-
DeepBlueCLI
-
-
-
Network Traffic Analysis Cyber Security Threat Detection
-
Introduction to Traffic Analysis
-
Traffic Analysis Overview
-
OSI Model
-
TCP/IP Model
-
Communication Models
-
Traffic Analysis for Offense
-
Traffic Analysis for Defense
-
Terminology
-
Port SPAN (Mirroring)
-
Man In The Middle (MITM)
-
Full packet Capture
-
NetFlow
-
-
-
Wireshark Basics
-
Wireshark Overview
-
Wireshark Filters
-
Wireshark Tips
-
Decoding
-
Field Extraction
-
Exporting of results
-
Wireshark investigation of an incident
-
Practical Wireshark uses for analyzing
-
-
Hunting Information form Packets
-
DNS
-
Internal Routing Protocols
-
HTTP/HTTPS
-
NetBIOS
-
SNMP
-
DHCP
-
SMB
-
SMTP
-
ICMP
-
FTP
-
-
Intrusion Detection by Traffic Analysis
-
Analyzing & Detecting Link Layer Attacks
-
Analyzing & Detecting IP Layer Attacks
-
Analyzing & Detecting Transport Layer Attacks
-
Analyzing Common Application Protocol Traffic & Attacks
-
Introduction to Open Source IDS Solutions
-
Introduction Zeek and RITA
-
Using Zeek and RITA to find Evil
-
-
-
Tshark basics And TCPdump
-
Tshark Overview
-
Tshark Filters
-
Exporting of Results
-
Pipelining with other Tools
-
-
Blue Team Fundamentals: Security Operations and Analysis
-
Blue Team Tools and Operations
-
Introduction to the Blue Team Mission
-
What is a SOC? What is the mission?
-
Why are we being attacked?
-
Modern defense mindset
-
The challenges of SOC work
-
-
SOC Overview
-
The people, process, and technology of a SOC
-
Aligning the SOC with your organization
-
SOC functional component overview
-
Tiered vs. tierless SOCs
-
Important operational documents
-
-
Defensible Network Concepts
-
Understanding what it takes to be defensible
-
Network security monitoring (NSM) concepts
-
NSM event collection
-
NSM by network layer
-
Continuous security monitoring (CSM) concepts
-
CSM event collection
-
Monitoring sources overview
-
Data centralization
-
-
Events, Alerts, Anomalies, and Incidents
-
Event collection
-
Event log flow
-
Alert collection
-
Alert triage and log flow
-
Signatures vs. anomalies
-
Alert triage workflow and incident creation
-
-
Incident Management Systems
-
SOC data organization tools
-
Incident management systems options and features
-
Data flow in incident management systems
-
Case creation, alerts, observables, playbooks, and workflow
-
Case and alert naming convention
-
Incident categorization framework
-
-
Threat Intelligence Platforms
-
What is cyber threat intelligence?
-
Threat data vs. information vs. intelligence
-
Threat intel platform options, features, and workflow
-
Event creation, attributes, correlation, and sharing
-
-
SIEM
-
Benefits of data centralization
-
SIEM options and features
-
SIEM searching, visualizations, and dashboards
-
Use cases and use case databases
-
-
Automation and Orchestration
-
How SOAR works and benefits the SOC
-
Options and features
-
SOAR value-adds and API interaction
-
Data flow between SOAR and the SIEM, incident management system, and threat intelligence platform
-
-
Who Are Your Enemies?
-
Who’s attacking us and what do they want?
-
Opportunistic vs. targeted attackers
-
Hacktivists, insiders, organized crime, governments
-
Motivation by attacker group
-
Case studies of different attack groups
-
Attacker group naming conventions
-
-
-
Understanding Your Network
-
Corporate Network Architecture
-
Traffic Capture and Analysis
-
Understanding DNS
-
DNS analysis and attacks
-
Understanding HTTP and HTTPS
-
Analyzing HTTP for Suspicious Activity
-
How SMTP and Email Attacks Work
-
Additional Important Protocols
-
SMB – versions and typical attacks
-
DHCP for defenders
-
ICMP and how it is abused
-
FTP and attacks
-
SSH and attacks
-
PowerShell remoting
-
-
-
Understanding Endpoints, Logs, and Files
-
Endpoint Attack Tactics
-
Endpoint attack centricity
-
Initial exploitation
-
Service-side vs client-side exploits
-
Post-exploitation tactics, tools, and explanations – execution, persistence, discovery, privilege escalation, credential access, lateral movement, collection, exfiltration
-
-
Endpoint Defense In-Depth
-
Network scanning and software inventory
-
Vulnerability scanning and patching
-
Anti-exploitation
-
Whitelisting
-
Host intrusion prevention and detection systems
-
Host firewalls
-
File integrity monitoring
-
Privileged access workstations
-
Windows privileges and permissions
-
Endpoint detection and response tools (EDR)
-
File and drive encryption
-
Data loss prevention
-
User and entity behavior analytics (UEBA)
-
-
How Windows Logging Works
-
Channels, event IDs, and sources
-
XML format and event templates
-
Log collection path
-
Channels of interest for tactical data collection
-
-
How Linux Logging Works
-
Syslog log format
-
Syslog daemons
-
Syslog network protocol
-
Log collection path
-
Systemd journal
-
Additional command line auditing options
-
Application logging
-
Service vs. system logs
-
-
Interpreting Important Events
-
Windows and Linux login events
-
Process creation logs for Windows and Linux
-
Additional activity monitoring
-
Firewall events
-
Object and file auditing
-
Service creation and operation logging
-
New scheduled tasks
-
USB events
-
User creation and modification
-
Windows Defender events
-
PowerShell logging
-
Kerberos and Active Directory Events
-
Authentication and the ticket-granting service
-
Kerberos authentication steps
-
Kerberos log events in detail
-
-
Log Collection, Parsing, and Normalization
-
Logging pipeline and collection methods
-
Windows vs. Linux log agent collection options
-
Parsing unstructured vs. structured logs
-
SIEM-centric formats
-
Efficient searching in your SIEM
-
The role of parsing and log enrichment
-
Log normalization and categorization
-
Log storage and retention lifecycle
-
-
Files Contents and Identification
-
File contents at the byte level
-
How to identify a file by the bytes
-
Magic bytes
-
Nested files
-
Strings – uses, encoding options, and viewing
-
-
Identifying and Handling Suspicious Files
-
Safely handling suspicious files
-
Dangerous files types
-
Exploits vs. program “features”
-
Exploits vs. Payloads
-
Executables, scripts, office docs, RTFs, PDFs, and miscellaneous exploits
-
Hashing and signature verification
-
Signature inspection and safety of verified files
-
Inspection methods, detecting malicious scripts and other files
-
-
-
Triage and Analysis
-
Alert Triage and Prioritization
-
Priority for triage
-
Spotting late-stage attacks
-
Attack lifecycle models
-
Spotting exfiltration and destruction attempts
-
Attempts to access sensitive users, hosts, and data
-
Targeted attack identification
-
Lower-priority alerts
-
Alert validation
-
-
Perception, Memory, and Investigation
-
The role of perception and memory in observation and analysis
-
Working within the limitations of short-term memory
-
Efficiently committing info to long-term memory
-
Decomposition and externalization techniques
-
The effects of experience on speed and creativity
-
-
Perception, Memory, and Investigation
-
The role of perception and memory in observation and analysis
-
Working within the limitations of short-term memory
-
Efficiently committing info to long-term memory
-
Decomposition and externalization techniques
-
The effects of experience on speed and creativity
-
-
Mental Models for Information Security
-
Network and file encapsulation
-
Cyber kill chain
-
Defense-in-depth
-
NIST cybersecurity framework
-
Incident response cycle
-
Threat intelligence levels, models, and uses
-
F3EAD
-
Diamond model
-
The OODA loop
-
Attack modeling, graph/list thinking, attack trees
-
Pyramid of pain
-
MITRE ATT&CK
-
-
Structured Analysis Techniques
-
Compensating for memory and perception issues via structured analysis
-
System 1 vs. System 2 thinking and battling tacit knowledge
-
Data-driven vs. concept-driven analysis
-
Structured analytic techniques
-
Idea generation and creativity, hypothesis development
-
Confirmation bias avoidance
-
Analysis of competing hypotheses
-
Diagnostic reasoning
-
Link analysis, event matrices
-
-
Analysis Questions and Tactics
-
Where to start – breaking down an investigation
-
Alert validation techniques
-
Sources of network and host information
-
Data extraction
-
OSINT sources
-
Data interpretation
-
Assessing strings, files, malware artifacts, email, links
-
-
Analysis OPSEC
-
OPSEC vs. your threat model
-
Traffic light protocol and intel sharing
-
Permissible action protocol
-
Common OPSEC failures and how to avoid them
-
-
Intrusion Discovery
-
Dwell time and intrusion type
-
Determining attacker motivation
-
Assessing business risk
-
Choosing an appropriate response
-
Reacting to opportunistic/targeted attacks
-
Common missteps in incident response
-
-
Incident Closing and Quality Review
-
Steps for closing incidents
-
Quality review and peer feedback
-
Analytical completeness checks
-
Closed case classification
-
Attribution
-
Maintaining quality over time
-
Premortem and challenge analysis
-
Peer review, red team, team A/B analysis, and structured self-critique
-
-
-
Continuous Improvement, Analytics, and Automation
-
Improving Life in the SOC
-
Expectations vs. common reality
-
Burnout and stress avoidance
-
Improvement through SOC human capital theory
-
The role of automation, operational efficiency, and metrics in burnout
-
Other common SOC issues
-
-
Analytic Features and Enrichment
-
Goals of analytic creation
-
Log features and parsing
-
High-feature vs. low-feature logs
-
Improvement through SIEM enrichment
-
External tools and other enrichment sources
-
-
New Analytic Design, Testing, and Sharing
-
Tolerance to false positives/negatives
-
The false positive paradox
-
Types of analytics
-
Feature selection for analytics
-
Matching with threat intel
-
Regular expressions
-
Common matching and rule logic options
-
Analytic generalization and sharing with Sigma
-
-
Tuning and False Positive Reduction
-
Dealing with alerts and runaway alert queues
-
How many analysts should you have?
-
Types of poor alerts
-
Tuning strategy for poor alert types
-
Tuning via log field analysis
-
Using policy to raise fidelity
-
Sensitivity vs. specificity
-
Automation and fast lanes
-
-
Automation and Orchestration
-
The definition of automation vs. orchestration
-
What is SOAR?
-
SOAR product considerations
-
Common SOAR use cases
-
Enumeration and enrichment
-
Response actions
-
Alert and case management
-
The paradox of automation
-
DIY scripting
-
-
Improving Operational Efficiency and Workflow
-
Micro-automation
-
Form filling
-
Text expanders
-
Email templates
-
Smart keywords
-
Browser plugins
-
Text caching
-
JavaScript page modification
-
OS Scripting
-
-
Containing Identified Intrusions
-
Containment and analyst empowerment
-
Isolation options across network layers – physical, link, network, transport, application
-
DNS firewalls, HTTP blocking and containment, SMTP, Web Application Firewalls
-
Host-based containment tools
-
-
-
Splunk fundamental 1
-
Introduction
-
Overview of Buttercup Games Inc.
-
-
What is Splunk?
-
Splunk components
-
Installing Splunk
-
Getting data into Splunk
-
-
Introduction to Splunk’s User Interface
-
Understand the uses of Splunk
-
Define Splunk Apps
-
Customizing your user settings
-
Learn basic navigation in Splunk
-
-
Basic Searching
-
Run basic searches
-
Use autocomplete to help build a search
-
Set the time range of a search
-
Identify the contents of search results
-
Refine searches
-
Use the timeline
-
Work with events
-
Control a search job
-
Save search results
-
-
Using Fields in Searches
-
Understand fields
-
Use fields in searches
-
Use the fields sidebar
-
-
Search Language Fundamentals
-
Review basic search commands and general search practices
-
Examine the search pipeline
-
Specify indexes in searches
-
Use autocomplete and syntax highlighting
-
Use SPL search commands to perform searches
-
-
Using Basic Transforming Commands
-
The top command
-
The rare command
-
The stats command
-
-
Creating Reports and Dashboards
-
Save a search as a report
-
Edit reports
-
Create reports that include visualizations such as charts and tables
-
Create a dashboard
-
Add a report to a dashboard
-
Edit a dashboard
-
-
Datasets and the Common Information Model
-
Naming conventions
-
What are datasets?
-
What is the Common Information Model (CIM)?
-
-
Creating and Using Lookups
-
Creating and Using Lookups
-
Create a lookup file and create a lookup definition
-
Configure an automatic lookup
-
-
Creating Scheduled Reports and Alerts
-
Describe scheduled reports
-
Configure scheduled reports
-
Describe alerts
-
Create alerts
-
View fired alerts
-
-
Using Pivot
-
Describe Pivot
-
Understand the relationship between data models and pivot
-
Select a data model object
-
Create a pivot report
-
Create an instant pivot from a search
-
Add a pivot report to a dashboard
-
-
SIEM with Tactical Analytics
-
SIEM Architecture
-
State of the SOC/SIEM
-
Log Monitoring
-
Logging architecture
-
SIEM platforms
-
Planning a SIEM
-
SIEM Architecture
-
Ingestion techniques and nodes
-
Data queuing and resiliency
-
Storage and speed
-
Analytical reporting
-
Visualizations
-
Detection Dashboards
-
-
-
Service Profiling With SIEM
-
Detection methods and relevance to log analysis
-
Attacker patterns
-
Attacker behaviors
-
Abnormalities
-
-
Analyzing common application logs that generate tremendous amounts of data
-
DNS
-
Finding new domains being accessed
-
Pulling in addition information such as domain age
-
Finding randomly named domains
-
Discover domain shadowing techniques
-
Identifying recon
-
Find DNS C2 channels
-
-
HTTP
-
Use large datasets to find attacks
-
Identify bot traffic hiding in the clear
-
Discover requests that users do not make
-
Find ways to filter out legitimate noise
-
Use attacker randomness against them
-
Identify automated activity vs user activity
-
Filter approved web clients vs unauthorized
-
Find HTTP C2 channels
-
-
HTTPS
-
Alter information for large scale analysis
-
Analyze certificate fields to identify attack vectors
-
Track certificate validity
-
Apply techniques that overlap with standard HTTP
-
Find HTTPS C2 channels
-
-
SMTP
-
Identify where unauthorized email is coming from
-
Find compromised mail services
-
Fuzzy matching likely phishing domains
-
Data exfiltration detectionAbnormalities
-
-
Apply threat intelligence to generic network logs
-
Active Dashboards and Visualizations
-
Correlate network datasets
-
Build frequency analysis tables
-
Establish network baseline activity
-
-
-
Advanced Endpoint Analytics
-
Endpoint logs
-
Understanding value
-
Methods of collection
-
Agents
-
Agentless
-
Scripting
-
-
Adding additional logging
-
EMET
-
Sysmon
-
Group Policy
-
-
Windows filtering and tuning
-
Analyze critical events based on attacker patterns
-
Finding signs of exploitation
-
Find signs of internal reconnaissance
-
Finding persistence
-
Privilege escalation
-
Establishing a foothold
-
Cleaning up track
-
-
Host-based firewall logs
-
Discover internal pivoting
-
Identify unauthorized listening executables
-
See scan activity
-
-
Credential theft and reuse
-
Multiple failed logons
-
Unauthorized account use
-
-
Monitor PowerShell
-
Configure PowerShell logging
-
Identify obfuscation
-
Identify modern attacks
-
-
Containers
-
Logging methods
-
Monitoring
-
-
-
Baselining and user Behavior Monitoring
-
Identify authorized and unauthorized assets
-
Active asset discovery
-
Scanners
-
Network Access Control
-
-
Passive asset discovery
-
DHCP
-
Network listeners such as p0f, bro, and prads
-
NetFlow
-
Switch CAM tables
-
-
Combining asset inventory into a master list
-
Adding contextual information
-
Vulnerability data
-
Authenticated device vs unauthenticated device
-
-
Identify authorized and unauthorized software
-
Source collection
-
Asset inventory systems
-
Patching management
-
Whitelisting solutions
-
Process monitoring
-
Discovering unauthorized software
-
-
Baseline data
-
Network data (from netflow, firewalls, etc)
-
Use outbound flows to discover unauthorized use or assets
-
Compare expected inbound/outbound protocol
-
Find persistence and beaconing
-
Utilize geolocation and reverse dns lookups
-
Establish device-to-device relationships
-
Identify lateral movement
-
Configure outbound communication thresholds
-
-
Monitor logons based on patterns
-
Time-based
-
Concurrency of logons
-
logons by user
-
logons by source device
-
Multiple geo locations
-
-
Endpoint baseline monitoring
-
Configure enterprise wide baseline collection
-
Large scale persistence monitoring
-
Finding abnormal local user accounts
-
Discover dual-homed devices
-
-
-
Tactical SIEM Detection and Post-Mortem Analysis
-
Centralize NIDS and HIDS alerts
-
Analyze endpoint security logs
-
Provide alternative analysis methods
-
Configure tagging to facilitate better reporting
-
-
Augment intrusion detection alerts
-
Extract CVE, OSVDB, etc for further context
-
Pull in rule info and other info such as geo
-
-
Analyze vulnerability information
-
Setup vulnerability reports
-
Correlate CVE, OSVDB, and other unique IDs with IDS alerts
-
Prioritize IDS alerts based on vulnerability context
-
-
Correlate malware sandbox logs with other systems to identify victims across enterprise
-
Monitor Firewall Activity
-
Identify scanning activity on inbound denies
-
Apply auto response based on alerts
-
Find unexpected outbound traffic
-
Baseline allow/denies to identify unexpected changes
-
Apply techniques to filter out noise in denied traffic
-
-
SIEM tripwires
-
Configure systems to generate early log alerts after compromise
-
Identify file and folder scan activity
-
Identify user token stealing
-
Operationalize virtual honeypots with central logging
-
Allow phone home tracking
-
-
Post mortem analysis
-
Re-analyze network traffic
-
Identify malicious domains and IPs
-
Look for beaconing activity
-
-
-
Introduction and Configuration Splunk Enterprise Security (SIEM)
-
Getting Started with ES
-
Describe the features and capabilities of Splunk Enterprise Security (ES)
-
Explain how ES helps security practitioners prevent, detect, and respond to threats
-
Describe correlation searches, data models, and notable events
-
Describe user roles in ES
-
-
Security Monitoring and Incident Investigation
-
Use the Security Posture dashboard to monitor ES status
-
Use the Incident Review dashboard to investigate notable events
-
Take ownership of an incident and move it through the investigation workflow
-
Create notable events
-
Suppress notable events
-
-
Risk-Based Alerting
-
Give an overview of Risk-Based Alerting
-
View Risk Notables and risk information on the Incident Review dashboard
-
Explain risk scores and how to change an object’s risk score
-
Review the Risk Analysis dashboard
-
Describe annotations
-
Describe the process for retrieving LDAP data for an asset or identity lookup
-
-
Investigations
-
Use investigations to manage incident response activity
-
Use the Investigation Workbench to manage, visualize and coordinate incident investigations
-
Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)
-
Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts
-
-
Using Security Domain Dashboards
-
Use ES to inspect events containing information relevant to active or past incident investigation
-
Identify security domains in ES
-
Use ES security domain dashboards
-
Launch security domain dashboards from Incident Review and from action menus in search results
-