Overview:

This course is designed for security analysts interested in using Kibana to hunt threats to their data and systems. You will start with an introduction to threat hunting, including how it’s different from other security analysis processes, and then move onto an introduction to the Elastic Stack and the powerful set of tools it offers. You will then learn essential Kibana features for analyzing security data, followed by an in-depth look at our network and host data sources, including learning about ways to enrich them. You will then learn about threat hunting philosophy, workflow, models, techniques and how it can help improve the effectiveness of security operations center. All of this will then be followed by a guided hunt exercise to put your new skills to the test.

Duration: 32 hours

• Classroom - 2 days | 8 hours per day
• Virtual - 4 days | 4 hours per day

Intended Audience:

Security Analysts

Prerequisites:

• No prior knowledge of the Elastic Stack required.
• Familiarity with basic networking and network security, as well as logging and incident response concepts.

Requirements

• Mac, Linux, or Windows
• Stable internet connection (virtual classroom)
• Latest version of Chrome or Firefox (other browsers not supported)
• Disable any ad-blockers and restart your browser before class

Course outline: All lessons include hands-on labs.

1.      Introduction

Start by looking at today’s threat landscape to better understand advanced persistent threats and the need for threat hunting. Explore fundamentals of threat hunting and how it’s different from other security analysis processes. Get an overview of different components of Elastic Stack. Learn about our security data sets and how to use essential Kibana features for analyzing them.

2.      Network data

Start with an overview of network data and how it can be useful in security analysis. Take an in depth look at data generated by Zeek NSM, Suricata IDS and Packetbeat. Explore the concept of flow and the benefits of collecting and analyzing flow data.

3.      Host data

Start with an overview of host data and how it can be useful in security analysis. Take a look at different data generated by Windows and Linux hosts and how Winlogbeat, Filebeat, and Auditbeat can help collect those data. Furthermore, learn about the structure of data generated by these Beats.

4.      Data enrichment

Understand the value of enrichment during the data analysis process, as well as the different objects that can be enriched using different sources during different stages of your ETL process. Explore various enrichment tools and the value they offer in security analysis.

5.      Threat hunting

Dive deeper into threat hunting, its philosophies, and the benefits of undertaking such an initiative. Learn the workflow, models, and techniques for hunting threats.

6.      Guided hunt

Challenge yourself in this actual exercise of threat hunting with instructor guidance (as needed).