My training submission has been accepted at the BruCON Spring Training session in April 2019. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour.
OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points. During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. Then we will learn how to deploy specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk /etc…
A quick overview of the training content:
- Day 1
- Introduction to OSSEC
- Day to day management
- Deployment (automation!)
- Maintenance
- Debugging
- Collecting events using homemade decoders and rules
- Reporting and alerting
- Day 2
- “Pimping†OSSEC with external feeds & data
- Automation using Active-Response
- Integration with external tools for better visibility
The schedule is online and the registration page is here. Please spread the word!