This instructor-led course is designed for Analysts and Operators that currently use, or are interested in using, the Elastic Stack with SOC Prime for security event collection, analytics, and case management.
You will start with an overview of SOC Prime and the Elastic Stack, exploring the various components and some of the use cases they can serve. The remainder of this course will take an in-depth look at Kibana, including basic discovery, visualizations and dashboards, and advanced components like Canvas, Vega, and Machine Learning.
After completing each module, you will apply what you have learned in a series of hands-on labs. By the end of the training, you will be able to use SOC Prime and the Elastic Stack to analyze the data sources from your network and various systems in order to paint a more complete security picture.
Security analysts who are researching, building, or leveraging SOC Prime as a part of their security monitoring program
3 Days | 8 hours per day
While no prior knowledge is required, completion of the Perched Foundations and the Perched Operator or Analyst courses are recommended.
Mac, Linux, or Windows
A modern web browser
Introduction to Elastic
Learn about the products that make up the Elastic Stack and how they integrate.
Hands-On Lab: Starting an Elastic Cluster
Kibana is the visualization component of the Elastic Stack. This chapter will provide a high-level overview of the UI and prepare students for a deep-dive on each component that is relevant to a successful hunt.
Hands-On Lab: Getting started with Kibana
Introduction to SOC Prime
Learn about the components of SOC Prime and discuss how it can be used as a Security Incident and Event Management (SIEM) and case management system.
Hands-On Lab: Navigating through SOC Prime
Visualizations are a powerful way to summarize a large set of data and spot anomalies. Learn all about how to leverage visualizations to tell a story about your data
Hands-On Lab: Summarizing data with visualizations
Dashboards and Use Cases
Learn how to build basic dashboards and then more advanced content focused on protocols or specific use-cases.
Hands-On Lab: Build basic and advanced dashboards and use-cases
Canvas and Vega
Learn all about the advanced tools available in Kibana for building visualizations.
Hands-On Lab: Building visualizations with Canvas and Vega
Machine Learning and Alerting
Humans are great at spotting visual anomalies, but computers are king when it comes to keeping track of trends and deviations. Learn how to build ML jobs and alerts to find things the human eye might miss.
Hands-On Lab: Building ML jobs and creating alerts
Anomalies without proper case management can lead to poor communication and overlap. Learn how to leverage SOC Prime for case management.
Hands-On Lab: Case management with SOC Prime
Spend a full day applying the concepts that you have learned in class. This is designed to be very hands-on and flexible to the needs and desires of the students.
The typical flow is to spend 30 minutes looking for anomalies in the data, working within the SIEM, and case management modules. Throughout the day, the class will regroup and review what everyone has found and logged in their case manager.
Instructors will work with the pace of the students and guide them through an entire campaign; this ensures the proper amount of challenge, but no one is left behind.