Nooranet English Logo
تعداد دوره های برگزار شده : 4 دوره
سطح دوره
نام مدرک
SIEM with Tactical Analytics
مدت دوره
40 ساعت
بازرس قانونی جرایم رایانه ای
توضیحات دوره
پیش نیاز
سرفصل دوره

در این دوره افراد با ساختار و معماری SIEM آشنا می شوند و با تجزیه  تحلیل داده هایی که به عنوان ورودی به SIEMهای ارسال می گردند و SIEMهای مختلف مانند Splunk , EIK , Tripwiveبررسی می شوند.

پیش نیاز دوره
  • بازرس قانونی جرایم رایانه ای
  • مانیتورینگ و پالایش ترافیک شبکه
مخاطبین دوره
  • تجزیه و تحلیل Log
  • کارشناسان SOC

سرفصل دوره

Section1: SIEM Architecture

  • State of the SOC/SIEM
  • Industry statistics
  • Industry problems
  • Log Monitoring
  • Assets
  • Windows/Linux
  • Network devices
  • Security devices
  • Data gathering strategies
  • Pre-planning
  • Logging architecture
  • Log inconsistencies
  • Log collection and normalization
  • Log retention strategies
  • Correlation and gaining context
  • Reporting and analytics
  • Alerting
  • SIEM platforms
  • Commercial solutions
  • Home-grown solutions
  • Planning a SIEM
  • Ingestion control
  • What to collect
  • Mission
  • SIEM Architecture
  • Ingestion techniques and nodes
  • Acceptance and manipulation for value
  • Augmentation of logs for detection
  • Data queuing and resiliency
  • Storage and speed
  • Analytical reporting
  • Visualizations
  • Detection Dashboards

Section 2: Service Profiling with SIEM

  • Detection methods and relevance to log analysis
  • Attacker patterns
  • Attacker behaviors
  • Abnormalities
  • Analyzing common application logs that generate tremendous amounts of data
  • DNS
  • Finding new domains being accessed
  • Pulling in addition information such as domain age
  • Finding randomly named domains
  • Discover domain shadowing techniques
  • Identifying recon
  • Find DNS C2 channels
  • HTTP
  • Use large datasets to find attacks
  • Identify bot traffic hiding in the clear
  • Discover requests that users do not make
  • Find ways to filter out legitimate noise
  • Use attacker randomness against them
  • Identify automated activity vs user activity
  • Filter approved web clients vs unauthorized
  • Find HTTP C2 channels
  • Alter information for large scale analysis
  • Analyze certificate fields to identify attack vectors
  • Track certificate validity
  • Apply techniques that overlap with standard HTTP
  • Find HTTPS C2 channels
  • SMTP
  • Identify where unauthorized email is coming from
  • Find compromised mail services
  • Fuzzy matching likely phishing domains
  • Data exfiltration detection
  • Apply threat intelligence to generic network logs
  • Active Dashboards and Visualizations
  • Correlate network datasets
  • Build frequency analysis tables
  • Establish network baseline activity

Section 3: Advanced Endpoint Analytics

  • Endpoint logs
  • Understanding value
  • Methods of collection
  • Agents
  • Agentless
  • Scripting
  • Adding additional logging
  • EMET
  • Sysmon
  • Group Policy
  • Windows filtering and tuning
  • Analyze critical events based on attacker patterns
  • Finding signs of exploitation
  • Find signs of internal reconnaissance
  • Finding persistence
  • Privilege escalation
  • Establishing a foothold
  • Cleaning up tracks
  • Host-based firewall logs
  • Discover internal pivoting
  • Identify unauthorized listening executables
  • See scan activity
  • Credential theft and reuse
  • Multiple failed logons
  • Unauthorized account use
  • Monitor PowerShell
  • Configure PowerShell logging
  • Identify obfuscation
  • Identify modern attacks

Section 4: Baselining and User Behavior Monitoring

  • Identify authorized and unauthorized assets
  • Active asset discovery
  • Scanners
  • Network Access Control
  • Passive asset discovery
  • DHCP
  • Network listeners such as p0f, bro, and prads
  • NetFlow
  • Switch CAM tables
  • Combining asset inventory into a master list
  • Adding contextual information
  • Vulnerability data
  • Authenticated device vs unauthenticated device
  • Identify authorized and unauthorized software
  • Source collection
  • Asset inventory systems
  • Patching management
  • Whitelisting solutions
  • Process monitoring
  • Discovering unauthorized software
  • Baseline data
  • Network data (from netflow, firewalls, etc)
  • Use outbound flows to discover unauthorized use or assets
  • Compare expected inbound/outbound protocol
  • Find persistence and beaconing
  • Utilize geolocation and reverse dns lookups
  • Establish device-to-device relationships
  • Identify lateral movement
  • Configure outbound communication thresholds
  • Monitor logons based on patterns
  • Time-based
  • Concurrency of logons
  • # logons by user
  • # logons by source device
  • Multiple geo locations
  • Endpoint baseline monitoring
  • Configure enterprise wide baseline collection
  • Large scale persistence monitoring
  • Finding abnormal local user accounts
  • Discover dual-homed devices

Section 5: Tactical SIEM Detection and Post-Mortem Analysis

  • Centralize NIDS and HIDS alerts
  • Analyze endpoint security logs
  • Provide alternative analysis methods
  • Configure tagging to facilitate better reporting
  • Augment intrusion detection alerts
  • Extract CVE, OSVDB, etc for further context
  • Pull in rule info and other info such as geo
  • Analyze vulnerability information
  • Setup vulnerability reports
  • Correlate CVE, OSVDB, and other unique IDs with IDS alerts
  • Prioritize IDS alerts based on vulnerability context
  • Correlate malware sandbox logs with other systems to identify victims across enterprise
  • Monitor Firewall Activity
  • Identify scanning activity on inbound denies
  • Apply auto response based on alerts
  • Find unexpected outbound traffic
  • Find unexpected outbound traffic
  • Baseline allow/denies to identify unexpected changes
  • Apply techniques to filter out noise in denied traffic
  • SIEM tripwires
  • Configure systems to generate early log alerts after compromise
  • Identify file and folder scan activity
  • Identify user token stealing
  • Operationalize virtual honeypots with central logging
  • Allow phone home tracking
  • Post mortem analysis
  • Re-analyze network traffic
  • Identify malicious domains and IPs
  • Look for beaconing activity
  • Identify unusual time-based activity
  • Use threat intel to reassess previous data fields such as user-agents
  • Utilize hashes in log to constantly re-evaluate for known bad files
جهت کسب اطلاعات بیشتر درمورد این دوره
درخواست مشاوره خود را ارسال کنید و یا با ما در تماس باشید.
تماس با ما

<% type.plural_name %>

    <% comment_item.message %>

    • <% reply_comment.message %>

  • برای دوره مورد نظر <% %> ثبت نشده است، به عنوان اولین نفر <% %> خود را ثبت نمایید.
ناحیه کاربری خود را انتخاب فرمایید
<% area.fullname ?? area.label.text %>
<% area.label.text %>

<% comment.reply_message.message %>

<% comment.message %>

خطا : <% errors.sender_fullname[0] %>
خطا : <% errors.message[0] %>
خطا : <% errors.captcha[0] %>
شما امکان ثبت دیدگاه خود را ندارید، در صورتی که هنوز وارد ناحیه دانشجویی خود نشده اید، ابتدا وارد شده و سپس مجددآ به این صفحه مراجعه نمایید.