|
1 - Discover
|
0 - Section Unlocks |
50 |
|
|
1.1 - Setting the Stage
|
1 - Discover |
50 |
|
|
1.2 - Messing with Time
|
1 - Discover |
50 |
|
|
1.3 - Choose index pattern
|
1 - Discover |
50 |
|
|
1.4 - Sort by field
|
1 - Discover |
50 |
|
|
1.5 - Open document
|
1 - Discover |
50 |
|
|
1.6 - IDS Data
|
1 - Discover |
50 |
|
|
1.7 - Zeek and you shall find
|
1 - Discover |
50 |
|
|
1.8 - ALL the logs
|
1 - Discover |
50 |
|
|
2 - Visualizations
|
0 - Section Unlocks |
50 |
|
|
2.1 - Highest Client Byte Count
|
2 - Visualizations |
50 |
|
|
2.2 - Client Peak Time
|
2 - Visualizations |
50 |
|
|
2.3 - Highest Server Byte Count
|
2 - Visualizations |
50 |
|
|
2.4 - Server Peak Time
|
2 - Visualizations |
50 |
|
|
3 - Lens
|
0 - Section Unlocks |
50 |
|
|
3.1 - Server port
|
3 - Lens |
50 |
|
|
3.2 - Record Count
|
3 - Lens |
50 |
|
|
3.3 - Summary data
|
3 - Lens |
50 |
|
|
3.4 - Record spike
|
3 - Lens |
50 |
|
|
4 - Dashboards
|
0 - Section Unlocks |
50 |
|
|
4.1 - Top Talkers
|
4 - Dashboards |
50 |
|
|
4.2 - Rush hour
|
4 - Dashboards |
50 |
|
|
4.3 - Out of the norm
|
4 - Dashboards |
50 |
|
|
4.4 - Connection count
|
4 - Dashboards |
50 |
|
|
4.5 - Default Time Buckets
|
4 - Dashboards |
50 |
|
|
4.6 - Default Peak Time
|
4 - Dashboards |
50 |
|
|
4.7 - New Time Buckets
|
4 - Dashboards |
50 |
|
|
4.8 - New Peak Count
|
4 - Dashboards |
50 |
|
|
4.9 - New Peak Time
|
4 - Dashboards |
50 |
|
|
4.10 - Flowing connections
|
4 - Dashboards |
50 |
|
|
4.11 - Byte Size
|
4 - Dashboards |
50 |
|
|
4.12 - HTTP Requests
|
4 - Dashboards |
50 |
|
|
4.13 - Uncommon Status Codes
|
4 - Dashboards |
50 |
|
|
4.14 - Hosts and Ports
|
4 - Dashboards |
50 |
|
|
4.15 - Uncommon Ports
|
4 - Dashboards |
50 |
|
|
5 - Security App - Explore
|
0 - Section Unlocks |
50 |
|
|
5.1 - Interactive
|
5 - Security App - Explore |
50 |
|
|
5.2 - Mandatory
|
5 - Security App - Explore |
50 |
|
|
5.3 - Hosts
|
5 - Security App - Explore |
50 |
|
|
5.4 - Who is making the most noise?
|
5 - Security App - Explore |
50 |
|
|
5.5 - Network
|
5 - Security App - Explore |
50 |
|
|
5.6 - Which tool?
|
5 - Security App - Explore |
50 |
|
|
5.7 - Dynamic
|
5 - Security App - Explore |
50 |
|
|
5.8 - Top domain
|
5 - Security App - Explore |
50 |
|
|
5.9 - Walking the path
|
5 - Security App - Explore |
50 |
|
|
5.10 - But Is It Local?
|
5 - Security App - Explore |
50 |
|
|
6 - Security App - Detection Rules
|
0 - Section Unlocks |
50 |
|
|
6.1 - Query types
|
6 - Security App - Detection Rules |
50 |
|
|
6.2 - Rule schedule
|
6 - Security App - Detection Rules |
50 |
|
|
6.3 - Sequencing
|
6 - Security App - Detection Rules |
50 |
|
|
7 - Security App - Alerts
|
0 - Section Unlocks |
50 |
|
|
7.1 - Get the message?
|
7 - Security App - Alerts |
50 |
|
|
7.2 - Abnormal User Agent
|
7 - Security App - Alerts |
50 |
|
|
8 - Security App - Timelines
|
0 - Section Unlocks |
50 |
|
|
8.1 - Change the data, change the world
|
8 - Security App - Timelines |
50 |
|
|
8.2 - Who's there?
|
8 - Security App - Timelines |
50 |
|
|
8.3 - How many?
|
8 - Security App - Timelines |
50 |
|
|
Hunt Training Gate
|
0 - Section Unlocks |
50 |
|
|
H1.1 - CONN Protocols
|
H1 - CONN - Aug 1 |
50 |
|
|
H1.2 - Top Talkers - Originators
|
H1 - CONN - Aug 1 |
50 |
|
|
H1.3 - Top Talkers - Responders
|
H1 - CONN - Aug 1 |
50 |
|
|
H1.4.A - Top Service
|
H1 - CONN - Aug 1 |
50 |
|
|
H1.4.B - Expected Port of Top Service
|
H1 - CONN - Aug 1 |
50 |
|
|
H1.4.C - What about those other connections?
|
H1 - CONN - Aug 1 |
50 |
|
|
H1.5 - Spike from one IP
|
H1 - CONN - Aug 1 |
50 |
|
|
H1.6 - But at what time?
|
H1 - CONN - Aug 1 |
50 |
|
|
H1.7 - Recap
|
H1 - CONN - Aug 1 |
51 |
|
|
H2.1 - Top Talkers - HTTP
|
H2 - HTTP - Aug 1 |
50 |
|
|
H2.2 - What port is that?
|
H2 - HTTP - Aug 1 |
50 |
|
|
H2.3 - URI
|
H2 - HTTP - Aug 1 |
50 |
|
|
H2.4 - Status Code
|
H2 - HTTP - Aug 1 |
50 |
|
|
H2.5 - User Agents
|
H2 - HTTP - Aug 1 |
50 |
|
|
H2.6 - Referrers
|
H2 - HTTP - Aug 1 |
50 |
|
|
H2.7 - Recap
|
H2 - HTTP - Aug 1 |
50 |
|
|
H3.1 - SSL Version
|
H3 - SSL - Aug 1 |
50 |
|
|
H3.2 - Non-standard Ports
|
H3 - SSL - Aug 1 |
50 |
|
|
H3.3 - SSL Validation
|
H3 - SSL - Aug 1 |
50 |
|
|
H3.4 - Validation failed on non-standard port
|
H3 - SSL - Aug 1 |
50 |
|
|
H3.5 - More filters!
|
H3 - SSL - Aug 1 |
50 |
|
|
H3.6 - Originating Host
|
H3 - SSL - Aug 1 |
50 |
|
|
H3.7 - Responding Host
|
H3 - SSL - Aug 1 |
50 |
|
|
H3.8 - Server Name
|
H3 - SSL - Aug 1 |
50 |
|
|
H3.9 - SSL Issuer
|
H3 - SSL - Aug 1 |
50 |
|
|
H3.10 - Recap
|
H3 - SSL - Aug 1 |
50 |
|
|
H4.1 - Round 2!
|
H4 - CONN - Round 2 - Aug 1 |
50 |
|
|
H4.2 - Responding Ports
|
H4 - CONN - Round 2 - Aug 1 |
50 |
|
|
H4.3 - Suspicious Service
|
H4 - CONN - Round 2 - Aug 1 |
50 |
|
|
H4.4 - Conn State
|
H4 - CONN - Round 2 - Aug 1 |
50 |
|
|
H4.5 - Conn State - oh no
|
H4 - CONN - Round 2 - Aug 1 |
50 |
|
|
H4.6 - Who else?
|
H4 - CONN - Round 2 - Aug 1 |
50 |
|
|
H4.7 - Recap
|
H4 - CONN - Round 2 - Aug 1 |
50 |
|
|
H5.1 - What file?
|
H5 - FTP - Aug 1 |
50 |
|
|
H5.2 - Who did it?
|
H5 - FTP - Aug 1 |
50 |
|
|
H5.3 - Reply Message
|
H5 - FTP - Aug 1 |
50 |
|
|
H5.4 - Recap
|
H5 - FTP - Aug 1 |
50 |
|
|
H6.1 - Common Vectors
|
H6 - CONN - Round 3 - Aug 1 |
50 |
|
|
H6.2 - Email Service
|
H6 - CONN - Round 3 - Aug 1 |
50 |
|
|
H6.3 - Responding Host
|
H6 - CONN - Round 3 - Aug 1 |
50 |
|
|
H6.4 - Recap
|
H6 - CONN - Round 3 - Aug 1 |
50 |
|
|
Congratulations!
|
Hunt Complete! |
1000 |
|