Perched | Security Education, Consulting, and Support
Security Solutions

Perched Threat Hunting With Corelight

Perched Threat Hunting With Corelight


This instructor-led course is designed for Analysts and Operators that currently use, or are interested in using, Corelight with the Elastic Stack for Network Security Monitoring.

After completing each module, you will apply what you have learned in a series of hands-on labs. The coursework is culminated by a 2-day capstone event in which the students will perform a series of increasingly difficult hunting operations using the Corelight data. This capstone is instructor assisted to ensure that no students are left behind.

By the end of the training, you will be able to use Corelight Bro data and the Elastic Stack to analyze your network traffic and catch bad guys.


Security analysts who are researching, building or leveraging Corelight as a part of their security monitoring program


5 Days | 8 hours per day


While no prior knowledge is required, completion of the Perched Foundations and the Perched Operator or Analyst courses are recommended.


  • Mac, Linux, or Windows

  • A modern web browser


Day 1

Passive Operations and Tapping

This course will clearly define the difference between active and passive operations and explain how to utilize different tapping technologies so that students can weigh their options and make the best choice for their environment.


  • What are Passive Operations?

  • What are Active Operations?

  • Spanning Port Tap (w/ lab)

  • Network Tapping Methodologies (w/ lab)

  • Tap placement Whiteboard Exercises

Introduction to Bro

This course is designed to take an operator or analyst who has never used Bro and bring them up to speed with its capabilities.


  • System Setup

  • What is Bro?

  • Bro Project History

  • Bro vs. Wireshark (w/ lab)

  • Analyzing a packet capture (w/ lab)

  • ASCII Logs Overview (w/ lab)

  • Filtering and Sorting Data (w/ lab)

  • Hands-On Lab: Capture the Flag


Day 2

Bro Performance Tuning

This course will walk sensor engineers through how to tune Bro for optimal performance.


  • Monitoring Incoming Bandwidth (w/ lab)

  • Identifying Performance Bottlenecks (w/ lab)

  • Filtering What Bro Captures (w/ lab)

Advanced Bro

This course builds on the Introduction to Bro course from the Foundations track and teaches operators how to leverage Bro for Hunting.


  • Bro Scripting Overview (w/ lab)

  • Bro Event Engine (w/ lab)

  • Frameworks Overview

  • Intel Framework (w/ lab)

  • File Extraction (w/ lab)


Day 3

Introduction to Elastic

  • Learn about the products that make up the Elastic Stack and how they interoperate.

  • Hands-On Lab: Starting an Elastic Cluster

Data Ingestion

● Learn how to move data from Bro to Elastic in an efficient and scalable manner.

  • Logstash (w/ lab)

  • Beats

  • Data Enrichment (w/ lab)

Kibana Basics

  • Kibana is the visualization component of the Elastic Stack. This chapter will provide a high-level overview of the UI and prepare students for a deep-dive on each component that is relevant to a successful hunt.

  • Hands-On Lab: Getting started with Kibana

Building Visualizations

  • Visualizations are a powerful way to summarize a large set of data and spot anomalies. Learn all about how to leverage visualizations to tell a story about your data

  • Hands-On Lab: Summarizing data with visualizations

Dashboards and Use Cases

  • Learn how to build basic dashboards and then more advanced content focused on protocols or specific use-cases.

  • Hands-On Lab: Build basic and advanced dashboards and use-cases


Day 4 & 5

Assisted Hunt

This capstone course is designed to walk an operator through a series of hunt missions designed to expand their understanding of the hunt tools and techniques.

Hunt Preparation

  • Selecting the Right Tool

  • When to Dig Deeper

  • Incident Response operations

Individual Hunt

  • Challenge: Find the Beacons (beginner)

  • Challenge: Find the Beacons (advanced)

  • Group Review

Team Hunt

  • Challenge: Enemy Objectives

  • Challenge: Applying the Kill Chain

  • Challenge: Full-Spectrum Adversary Detection

  • Group Review