Perched | Security Education, Consulting, and Support
Security Solutions

Security Monitoring with SOC Prime

Security Monitoring with SOC Prime

Overview

This instructor-led course is designed for Analysts and Operators that currently use, or are interested in using, the Elastic Stack with SOC Prime for security event collection, analytics, and case management.

You will start with an overview of SOC Prime and the Elastic Stack, exploring the various components and some of the use cases they can serve. The remainder of this course will take an in-depth look at Kibana, including basic discovery, visualizations and dashboards, and advanced components like Canvas, Vega, and Machine Learning.

After completing each module, you will apply what you have learned in a series of hands-on labs. By the end of the training, you will be able to use SOC Prime and the Elastic Stack to analyze the data sources from your network and various systems in order to paint a more complete security picture.

Audience

Security analysts who are researching, building, or leveraging SOC Prime as a part of their security monitoring program

Duration

3 Days | 8 hours per day

Prerequisites

While no prior knowledge is required, completion of the Perched Foundations and the Perched Operator or Analyst courses are recommended.

Requirements

  • Mac, Linux, or Windows

  • A modern web browser

 

Day 1

Introduction to Elastic

  • Learn about the products that make up the Elastic Stack and how they integrate.

  • Hands-On Lab: Starting an Elastic Cluster

Kibana Basics

  • Kibana is the visualization component of the Elastic Stack. This chapter will provide a high-level overview of the UI and prepare students for a deep-dive on each component that is relevant to a successful hunt.

  • Hands-On Lab: Getting started with Kibana

Introduction to SOC Prime

  • Learn about the components of SOC Prime and discuss how it can be used as a Security Incident and Event Management (SIEM) and case management system.

  • Hands-On Lab: Navigating through SOC Prime

 

Day 2

Building Visualizations

  • Visualizations are a powerful way to summarize a large set of data and spot anomalies. Learn all about how to leverage visualizations to tell a story about your data

  • Hands-On Lab: Summarizing data with visualizations

Dashboards and Use Cases

  • Learn how to build basic dashboards and then more advanced content focused on protocols or specific use-cases.

  • Hands-On Lab: Build basic and advanced dashboards and use-cases

Canvas and Vega

  • Learn all about the advanced tools available in Kibana for building visualizations.

  • Hands-On Lab: Building visualizations with Canvas and Vega

Machine Learning and Alerting

  • Humans are great at spotting visual anomalies, but computers are king when it comes to keeping track of trends and deviations. Learn how to build ML jobs and alerts to find things the human eye might miss.

  • Hands-On Lab: Building ML jobs and creating alerts

Case Management

  • Anomalies without proper case management can lead to poor communication and overlap. Learn how to leverage SOC Prime for case management.

  • Hands-On Lab: Case management with SOC Prime

 

Day 3

Guided Hunt

  • Spend a full day applying the concepts that you have learned in class. This is designed to be very hands-on and flexible to the needs and desires of the students.

  • The typical flow is to spend 30 minutes looking for anomalies in the data, working within the SIEM, and case management modules. Throughout the day, the class will regroup and review what everyone has found and logged in their case manager.

  • Instructors will work with the pace of the students and guide them through an entire campaign; this ensures the proper amount of challenge, but no one is left behind.