Perched | Security Education, Consulting, and Support
Security Solutions

Perched Engineering

Perched Engineering


This instructor-led course is focused around the deployment of the Elastic Stack in a security context; specifically how to build the different parts of the Elastic Stack and how to ensure that they are performant.

You will start with an overview of the Elastic Stack and the different components of it. From there the students will build network security monitor (NSM) sensors in a variety of configurations; each course will build on the previous content.

After completing each module, you will apply what you have learned in a series of hands-on labs. By the end of the training, you will be able to build the Elastic Stack from the ground up to analyze the data sources from your network and various systems in order to paint a more complete security picture.


Security Engineers who are responsible for installing, operating, and maintaining the Elastic Stack and network security monitoring platforms.


10 Days | 8 hours per day


There are no prerequisites for this course.


  • Mac, Linux, or Windows

  • A modern web browser


Day 1


Building and configuring the sensors to use for NSM operations is done by completing a checklist of many tasks. The vast majority of these tasks are repeatable and can be completed with "Configuration Management". There are many CM tool sets available, but we believe that Ansible does things right. This course teaches the basics of Ansible and students will complete labs that incrementally grow in complexity.


  • How things used to be done

  • Ansible Overview

  • Environment Setup

  • Ad-Hoc Commands (w/ lab)

  • Playbooks (w/ lab)

  • Modules (w/ lab)

  • Variables & Templates (w/ lab)

  • Real-World Walkthrough


Day 2

Bro Install, Operate, and Maintain

This course is designed to familiarize sensor engineers with the various ways to install and configure Bro. It will also briefly cover ongoing maintenance that should be performed against an installation.


  • Installation options

  • Source (w/ lab)

  • RPM (w/ lab)

  • Deployment Options

  • Standalone (w/ lab)

  • Cluster (w/ lab)

  • Capture Methods

  • AF_PACKET (w/ lab)


  • Maintenance

  • broctl

  • Bro-cron


Day 3

Bro Performance Tuning

This course will walk sensor engineers through how to tune Bro for optimal performance.


  • Monitoring Incoming Bandwidth (w/ lab)

  • Identifying Performance Bottlenecks (w/ lab)

  • Selecting the Right Capture Cards

  • Tuning the Network Layer (w/ lab)

  • Tuning the Storage Layer (w/ lab)

  • CPU Pinning and NUMA Alignment (w/ lab)

  • Filtering What Bro Captures (w/ lab)

Kafka Install, Operate, and Maintain

It is important that a sensor engineer deploying RockNSM understand how to optimize relaying messages from the NIC through a data pipeline effectively in order to provide near real-time analysis and prevent data loss.


  • Installation Overview

  • Setup Prerequisites (w/ lab)

  • Install Zookeeper Cluster (w/ lab)

  • Install Kafka Cluster (w/ lab)

  • Using kafkacat

  • Creating Topics (w/ lab)


Day 4

Passive Operations and Tapping

It is important that a sensor engineer deploying RockNSM understand that it is a passive system and what that actually means. This course should clearly define the difference and explain how to utilize different tapping technologies so that students can weigh their options and make the best choice for their environment.


  • What are Passive Operations?

  • What are Active Operations?

  • Spanning Port Tap (w/ lab)

  • Inline Tapping (w/ lab)

  • Tap placement Whiteboard Exercises

CAPES Install, Operate, and Maintain

CAPES is a self-hosted incident response service hub, providing IR management, communication, documentation, VoIP, collaborative workspaces,
indicator enrichment, data analysis, and data visualization. This course is designed to take an operator or analyst who has never used the CAPES technology stack and bring them up to speed with its capabilities.


  • What is CAPES?

  • System Setup (w/ lab)

  • Installation (w/ lab)

  • Configuration (w/ lab)

  • Administration (w/ lab)

  • Maintenance (w/ lab)


Day 5, 6, 7

Elastic Stack Install, Operate, and Maintain

This course is designed to familiarize sensor engineers with the various ways to install, configure, and tune the various Elastic products.


  • Environment Preparation (w/ lab)

  • Node Types

  • Components

  • Elasticsearch

  • Logstash

  • Beats

  • Kibana

  • Install and Configure Elastic Stack (w/ lab)

  • Configure Logstash and Beats to Read Files Into Elasticsearch (w/ lab)

  • Securing the Elastic Stack (w/ lab)

  • Maintenance

  • Viewing Log Files (w/ lab)

  • Elasticsearch API (w/ lab)

  • Kibana Console (w/ lab)

  • Identifying Performance Bottlenecks (w/ lab)

  • Monitoring Performance (w/ lab)

  • System Sizing Considerations

  • General Performance Tuning (w/ lab)

  • Tuning the Java Virtual Machine (w/ lab)

  • Tuning for Indexing Speed (w/ lab)

  • Tuning or Search Speed (w/ lab)


Day 8

Suricata Rule Management and Tuning

This course is designed to provide an engineer with the foundational knowledge required to: maintain up-to-date rulesets, create custom rules, and manage the performance of a Suricata sensor.


  • Suricata Rules Overview

  • Managing Rulesets

  • Anatomy of a rule

  • Writing Custom Rules


Day 9

Sensor Troubleshooting

This course is designed to provide an engineer with the foundational knowledge required to: troubleshoot and correct sensor or configuration errors.


  • Troubleshooting Concepts and Flow

  • Sensor Services

  • Troubleshooting Logs

  • Journalctl

  • SELinux Troubleshooting


Day 10

Engineer Capstone Event

This capstone will have an engineer build a sensor from the ground up and will then have to troubleshoot and fix errors introduced to their working sensors.


  • Build a Complete Sensor

  • Troubleshoot & Identify Issues

  • Repair and Return to Service a Sensor