This instructor-led course is focused around the deployment of the Elastic Stack in a security context; specifically how to build the different parts of the Elastic Stack and how to ensure that they are performant.
You will start with an overview of the Elastic Stack and the different components of it. From there the students will build network security monitor (NSM) sensors in a variety of configurations; each course will build on the previous content.
After completing each module, you will apply what you have learned in a series of hands-on labs. By the end of the training, you will be able to build the Elastic Stack from the ground up to analyze the data sources from your network and various systems in order to paint a more complete security picture.
Security Engineers who are responsible for installing, operating, and maintaining the Elastic Stack and network security monitoring platforms.
10 Days | 8 hours per day
There are no prerequisites for this course.
Mac, Linux, or Windows
A modern web browser
Building and configuring the sensors to use for NSM operations is done by completing a checklist of many tasks. The vast majority of these tasks are repeatable and can be completed with "Configuration Management". There are many CM tool sets available, but we believe that Ansible does things right. This course teaches the basics of Ansible and students will complete labs that incrementally grow in complexity.
How things used to be done
Ad-Hoc Commands (w/ lab)
Playbooks (w/ lab)
Modules (w/ lab)
Variables & Templates (w/ lab)
Bro Install, Operate, and Maintain
This course is designed to familiarize sensor engineers with the various ways to install and configure Bro. It will also briefly cover ongoing maintenance that should be performed against an installation.
Source (w/ lab)
RPM (w/ lab)
Standalone (w/ lab)
Cluster (w/ lab)
AF_PACKET (w/ lab)
Bro Performance Tuning
This course will walk sensor engineers through how to tune Bro for optimal performance.
Monitoring Incoming Bandwidth (w/ lab)
Identifying Performance Bottlenecks (w/ lab)
Selecting the Right Capture Cards
Tuning the Network Layer (w/ lab)
Tuning the Storage Layer (w/ lab)
CPU Pinning and NUMA Alignment (w/ lab)
Filtering What Bro Captures (w/ lab)
Kafka Install, Operate, and Maintain
It is important that a sensor engineer deploying RockNSM understand how to optimize relaying messages from the NIC through a data pipeline effectively in order to provide near real-time analysis and prevent data loss.
Setup Prerequisites (w/ lab)
Install Zookeeper Cluster (w/ lab)
Install Kafka Cluster (w/ lab)
Creating Topics (w/ lab)
Passive Operations and Tapping
It is important that a sensor engineer deploying RockNSM understand that it is a passive system and what that actually means. This course should clearly define the difference and explain how to utilize different tapping technologies so that students can weigh their options and make the best choice for their environment.
What are Passive Operations?
What are Active Operations?
Spanning Port Tap (w/ lab)
Inline Tapping (w/ lab)
Tap placement Whiteboard Exercises
CAPES Install, Operate, and Maintain
CAPES is a self-hosted incident response service hub, providing IR management, communication, documentation, VoIP, collaborative workspaces,
indicator enrichment, data analysis, and data visualization. This course is designed to take an operator or analyst who has never used the CAPES technology stack and bring them up to speed with its capabilities.
What is CAPES?
System Setup (w/ lab)
Installation (w/ lab)
Configuration (w/ lab)
Administration (w/ lab)
Maintenance (w/ lab)
Day 5, 6, 7
Elastic Stack Install, Operate, and Maintain
This course is designed to familiarize sensor engineers with the various ways to install, configure, and tune the various Elastic products.
Environment Preparation (w/ lab)
Install and Configure Elastic Stack (w/ lab)
Configure Logstash and Beats to Read Files Into Elasticsearch (w/ lab)
Securing the Elastic Stack (w/ lab)
Viewing Log Files (w/ lab)
Elasticsearch API (w/ lab)
Kibana Console (w/ lab)
Identifying Performance Bottlenecks (w/ lab)
Monitoring Performance (w/ lab)
System Sizing Considerations
General Performance Tuning (w/ lab)
Tuning the Java Virtual Machine (w/ lab)
Tuning for Indexing Speed (w/ lab)
Tuning or Search Speed (w/ lab)
Suricata Rule Management and Tuning
This course is designed to provide an engineer with the foundational knowledge required to: maintain up-to-date rulesets, create custom rules, and manage the performance of a Suricata sensor.
Suricata Rules Overview
Anatomy of a rule
Writing Custom Rules
This course is designed to provide an engineer with the foundational knowledge required to: troubleshoot and correct sensor or configuration errors.
Troubleshooting Concepts and Flow
Engineer Capstone Event
This capstone will have an engineer build a sensor from the ground up and will then have to troubleshoot and fix errors introduced to their working sensors.
Build a Complete Sensor
Troubleshoot & Identify Issues
Repair and Return to Service a Sensor