Course Outline:

Day 01: Security Operations and Management

This module introduces the fundamental concepts of security operations and management within a Security Operations Center (SOC). Topics include:

• Introduction to SOC: Structure, roles, responsibilities, and benefits.
• SOC Processes and Functions: Security monitoring, incident management, compliance, and risk management.
• Types of SOCs: Dedicated SOC, distributed SOC, co-managed SOC, etc.
• SOC Maturity Models: Understanding SOC effectiveness and improvement frameworks.
• Compliance and Regulations: ISO 27001, NIST, GDPR, PCI DSS, and other relevant standards.
• Key Security Tools: SIEM, IDS/IPS, firewalls, endpoint protection, and vulnerability scanners.

Day 02: Understanding Cyber Threats, IoCs, and Attack Methodology

This module covers different types of cyber threats, Indicators of Compromise (IoCs), and how attacks are structured. Topics include:

• Cyber Threat Categories: Malware, phishing, DoS/DDoS, insider threats, ransomware, APTs.
• Cyber Kill Chain & MITRE ATT&CK: Understanding attacker techniques and tactics.
• Indicators of Compromise (IoCs): How to detect malicious activity through logs, files, and behaviors.
• Threat Actor Motives & TTPs: Understanding threat actors, their goals, and methodologies.
• Attack Methodologies: Social engineering, SQL injection, brute force, privilege escalation, etc.
• Malware Analysis Basics: Identifying malware behavior and threats.

Day 03: Incident Detection with Security Information and Event Management (SIEM)

This module explores SIEM solutions, their role in incident detection, and practical hands-on usage. Topics include:

• Introduction to SIEM: Role of SIEM in security operations.
• SIEM Architecture: Data collection, normalization, correlation, and storage.
• SIEM Deployment Models: On-premises, cloud, and hybrid SIEM.
• SIEM Use Cases: Detecting malware, insider threats, unauthorized access, and brute-force attacks.
• Creating & Managing SIEM Rules: Custom alerts, correlation rules.
• SIEM Solutions Overview: Wazuh
• Hands-on with SIEM: Querying logs, analyzing alerts, and investigating threats.

Day 04: Incident Detection with Security Information and Event Management (SIEM) – Part 2

This module explores Wazuh as a SIEM solution, its role in incident detection, and practical hands-on usage. Topics include:

• Wazuh as a SIEM platform: Features and architecture
• What is Wazuh, and how does it work?
• Architecture and Components of Wazuh: Manager, agents, API
• Communication Between Wazuh Components
• Methods: Single vs. distributed node
• Agent Installation on Linux and Windows
• Familiarization with Wazuh Dashboard
• Wazuh Certificates
• Wazuh Virtual Machine
• Windows and Linux Agents

Lab:

• Virtual machine setup
• Agent creation (Windows and Linux)

Day 05: Incidents, Events, and Logging

This module focuses on differentiating security events from incidents, logging essentials, and analyzing logs for threat detection. Topics include:

• Events vs. Incidents: Understanding the difference and prioritization of security incidents.
• Log Management: Importance of logs, types (system logs, application logs, network logs).
• Log Sources & Formats: Syslog, Windows Event Logs, firewall logs, DNS logs, proxy logs.
• Log Analysis Techniques: Parsing, correlation, and event detection.
• Security Event Correlation: How different log sources are analyzed for incident detection.
• Use Cases for Log Monitoring: Detecting lateral movement, brute-force attacks, and privilege escalation.

Day 06: Incident, Event, and Logging Management – Part 2

This module focuses on Wazuh cluster setup, scalability, and managing indices. Topics include:

• Wazuh Cluster Setup and Scalability
• Log Collection
• Index Lifecycle Policies and Retention Strategy
• Managing Indices in Wazuh

Lab:

• Configuring FIM for critical systems
• Integrating Wazuh with other security tools
• Sending Wazuh data to external platforms

Day 07: Incidents, Events, and Logging – Part 3

This module focuses on advanced logging and detection capabilities in Wazuh. Topics include:

• Network Devices Log, Agentless Log Collection Process, and Filtering
• Understanding Wazuh Rules and Creating Custom Detection Rules
• Configuring and Customizing Decoders for Log Types

Lab:

• Wazuh custom log decoder
• Wazuh custom rule set

Day 08: Enhanced Incident Detection with Threat Intelligence

This module delves into the importance of threat intelligence in enhancing incident detection. Topics include:

• Introduction to Threat Intelligence (TI): What is TI and why is it crucial?
• Types of Threat Intelligence: Strategic, operational, tactical, and technical TI.
• Threat Intelligence Sources: OSINT, commercial feeds, government feeds, and dark web sources.
• Threat Intelligence Platforms (TIPs): MISP, ThreatConnect, Anomali, Recorded Future.
• Integrating TI into SIEM: How TI enhances alerting and correlation.
• Threat Hunting Fundamentals: Proactive detection of threats using TI.
• Threat Intelligence Sharing: ISACs, TAXII, STIX.

Day 09: Enhanced Incident Detection with Threat Intelligence – Part 2

This module continues with the integration and practical application of threat intelligence. Topics include:

• Overview of Cyber Threat Intelligence (CTI) and Its Integration with SOC
• Leveraging Wazuh Dashboards to Visualize Threats and Trends

Lab:

• Automating responses based on alerts
• Managing and querying centralized event data (CDB)
• Simulating basic attacks (e.g., brute force)
• Detecting an SQL injection attack
• Detecting malware using YARA integration
• Detecting hidden processes
• Detecting a Shellshock attack

Day 10: Incident Response

This module teaches the incident response process, frameworks, and techniques used in SOC operations. Topics include:

• Incident Response Lifecycle: NIST, SANS, and other frameworks.
• Incident Classification & Prioritization: Criticality assessment, impact analysis.
• Containment, Eradication, and Recovery: Best practices for handling security incidents.
• Incident Handling Procedures: Steps for malware outbreaks, data breaches, and insider threats.
• Forensic Analysis Basics: Memory forensics, disk forensics, and network forensics.
• Incident Reporting & Documentation: Writing effective incident reports.

Post-Incident Review: Lessons learned, improving SOC efficiency.