Course Outline
Introduction and Course Orientation
- Course objectives, expected outcomes, and laboratory environment setup.
- High-level EDR architecture and an overview of OpenEDR components.
- Review of the MITRE ATT&CK framework and fundamental threat-hunting concepts.
OpenEDR Deployment and Telemetry Collection
- Installing and configuring OpenEDR agents on Windows endpoints.
- Server components, data ingestion pipelines, and storage considerations.
- Configuring telemetry sources, event normalisation, and enrichment processes.
Understanding Endpoint Telemetry and Event Modelling
- Key endpoint event types, fields, and their mapping to ATT&CK techniques.
- Event filtering, correlation strategies, and techniques for noise reduction.
- Generating reliable detection signals from low-fidelity telemetry.
Mapping Detections to the MITRE ATT&CK Framework
- Translating telemetry into ATT&CK technique coverage and identifying detection gaps.
- Utilising ATT&CK Navigator and documenting mapping decisions.
- Prioritising techniques for hunting based on risk and telemetry availability.
Threat Hunting Methodologies
- Hypothesis-driven hunting versus indicator-led investigations.
- Developing hunt playbooks and iterative discovery workflows.
- Practical hunting labs: identifying patterns of lateral movement, persistence, and privilege escalation.
Detection Engineering and Tuning
- Designing detection rules using event correlation and behavioural baselines.
- Rule testing, tuning to minimise false positives, and measuring effectiveness.
- Creating signatures and analytic content for reuse across the environment.
Incident Response and Root Cause Analysis with OpenEDR
- Using OpenEDR to triage alerts, investigate incidents, and timeline attacks.
- Forensic artifact collection, evidence preservation, and chain-of-custody considerations.
- Integrating findings into incident response playbooks and remediation workflows.
Automation, Orchestration, and Integration
- Automating routine hunts and alert enrichment using scripts and connectors.
- Integrating OpenEDR with SIEM, SOAR, and threat intelligence platforms.
- Scaling telemetry, retention policies, and operational considerations for enterprise deployments.
Advanced Use Cases and Red Team Collaboration
- Simulating adversary behaviour for validation: purple-team exercises and ATT&CK-based emulation.
- Case studies: real-world hunts and post-incident analyses.
- Designing continuous improvement cycles for detection coverage.
Capstone Laboratory and Presentations
- Guided capstone: conducting a full hunt from hypothesis through containment and root cause analysis using laboratory scenarios.
- Participant presentations of findings and recommended mitigations.
- Course wrap-up, materials distribution, and recommended next steps.
Requirements
- A foundational understanding of endpoint security principles.
- Experience in log analysis and basic Linux/Windows system administration.
- Familiarity with common attack techniques and incident response methodologies.
Target Audience
- Security Operations Centre (SOC) analysts.
- Threat hunters and incident responders.
- Security engineers responsible for detection engineering and telemetry management.
Testimonials (2)
Clarity and pace of explanations
Federica Galeazzi - Aethra Telecomunications SRL
Course - AI-Powered Cybersecurity: Advanced Threat Detection & Response
It did give me the insight what I needed :) I am starting teaching on a BTEC Level 3 qualification and wanted to widen my knowledge in this area.