This instructor-led course is designed for Analysts and Operators that currently use, or are interested in using, Corelight with the Elastic Stack for Network Security Monitoring.
After completing each module, you will apply what you have learned in a series of hands-on labs. The coursework is culminated by a 2-day capstone event in which the students will perform a series of increasingly difficult hunting operations using the Corelight data. This capstone is instructor assisted to ensure that no students are left behind.
By the end of the training, you will be able to use Corelight Bro data and the Elastic Stack to analyze your network traffic and catch bad guys.
Security analysts who are researching, building or leveraging Corelight as a part of their security monitoring program
5 Days | 8 hours per day
While no prior knowledge is required, completion of the Perched Foundations and the Perched Operator or Analyst courses are recommended.
Mac, Linux, or Windows
A modern web browser
Passive Operations and Tapping
This course will clearly define the difference between active and passive operations and explain how to utilize different tapping technologies so that students can weigh their options and make the best choice for their environment.
What are Passive Operations?
What are Active Operations?
Spanning Port Tap (w/ lab)
Network Tapping Methodologies (w/ lab)
Tap placement Whiteboard Exercises
Introduction to Bro
This course is designed to take an operator or analyst who has never used Bro and bring them up to speed with its capabilities.
What is Bro?
Bro Project History
Bro vs. Wireshark (w/ lab)
Analyzing a packet capture (w/ lab)
ASCII Logs Overview (w/ lab)
Filtering and Sorting Data (w/ lab)
Hands-On Lab: Capture the Flag
Bro Performance Tuning
This course will walk sensor engineers through how to tune Bro for optimal performance.
Monitoring Incoming Bandwidth (w/ lab)
Identifying Performance Bottlenecks (w/ lab)
Filtering What Bro Captures (w/ lab)
This course builds on the Introduction to Bro course from the Foundations track and teaches operators how to leverage Bro for Hunting.
Bro Scripting Overview (w/ lab)
Bro Event Engine (w/ lab)
Intel Framework (w/ lab)
File Extraction (w/ lab)
Introduction to Elastic
Learn about the products that make up the Elastic Stack and how they interoperate.
Hands-On Lab: Starting an Elastic Cluster
● Learn how to move data from Bro to Elastic in an efficient and scalable manner.
Logstash (w/ lab)
Data Enrichment (w/ lab)
Kibana is the visualization component of the Elastic Stack. This chapter will provide a high-level overview of the UI and prepare students for a deep-dive on each component that is relevant to a successful hunt.
Hands-On Lab: Getting started with Kibana
Visualizations are a powerful way to summarize a large set of data and spot anomalies. Learn all about how to leverage visualizations to tell a story about your data
Hands-On Lab: Summarizing data with visualizations
Dashboards and Use Cases
Learn how to build basic dashboards and then more advanced content focused on protocols or specific use-cases.
Hands-On Lab: Build basic and advanced dashboards and use-cases
Day 4 & 5
This capstone course is designed to walk an operator through a series of hunt missions designed to expand their understanding of the hunt tools and techniques.
Selecting the Right Tool
When to Dig Deeper
Incident Response operations
Challenge: Find the Beacons (beginner)
Challenge: Find the Beacons (advanced)
Challenge: Enemy Objectives
Challenge: Applying the Kill Chain
Challenge: Full-Spectrum Adversary Detection