Get in Touch

Course Outline

Introduction and Course Orientation

  • Course objectives, expected outcomes, and laboratory environment setup.
  • High-level EDR architecture and an overview of OpenEDR components.
  • Review of the MITRE ATT&CK framework and fundamental threat-hunting concepts.

OpenEDR Deployment and Telemetry Collection

  • Installing and configuring OpenEDR agents on Windows endpoints.
  • Server components, data ingestion pipelines, and storage considerations.
  • Configuring telemetry sources, event normalisation, and enrichment processes.

Understanding Endpoint Telemetry and Event Modelling

  • Key endpoint event types, fields, and their mapping to ATT&CK techniques.
  • Event filtering, correlation strategies, and techniques for noise reduction.
  • Generating reliable detection signals from low-fidelity telemetry.

Mapping Detections to the MITRE ATT&CK Framework

  • Translating telemetry into ATT&CK technique coverage and identifying detection gaps.
  • Utilising ATT&CK Navigator and documenting mapping decisions.
  • Prioritising techniques for hunting based on risk and telemetry availability.

Threat Hunting Methodologies

  • Hypothesis-driven hunting versus indicator-led investigations.
  • Developing hunt playbooks and iterative discovery workflows.
  • Practical hunting labs: identifying patterns of lateral movement, persistence, and privilege escalation.

Detection Engineering and Tuning

  • Designing detection rules using event correlation and behavioural baselines.
  • Rule testing, tuning to minimise false positives, and measuring effectiveness.
  • Creating signatures and analytic content for reuse across the environment.

Incident Response and Root Cause Analysis with OpenEDR

  • Using OpenEDR to triage alerts, investigate incidents, and timeline attacks.
  • Forensic artifact collection, evidence preservation, and chain-of-custody considerations.
  • Integrating findings into incident response playbooks and remediation workflows.

Automation, Orchestration, and Integration

  • Automating routine hunts and alert enrichment using scripts and connectors.
  • Integrating OpenEDR with SIEM, SOAR, and threat intelligence platforms.
  • Scaling telemetry, retention policies, and operational considerations for enterprise deployments.

Advanced Use Cases and Red Team Collaboration

  • Simulating adversary behaviour for validation: purple-team exercises and ATT&CK-based emulation.
  • Case studies: real-world hunts and post-incident analyses.
  • Designing continuous improvement cycles for detection coverage.

Capstone Laboratory and Presentations

  • Guided capstone: conducting a full hunt from hypothesis through containment and root cause analysis using laboratory scenarios.
  • Participant presentations of findings and recommended mitigations.
  • Course wrap-up, materials distribution, and recommended next steps.

Requirements

  • A foundational understanding of endpoint security principles.
  • Experience in log analysis and basic Linux/Windows system administration.
  • Familiarity with common attack techniques and incident response methodologies.

Target Audience

  • Security Operations Centre (SOC) analysts.
  • Threat hunters and incident responders.
  • Security engineers responsible for detection engineering and telemetry management.
 21 Hours

Testimonials (2)

Upcoming Courses

Related Categories