Visão Geral

Este Curso SentinelOne Incident Responder, fornece o conhecimento e as habilidades necessárias para usar efetivamente a plataforma SentinelOne para identificar e responder a incidentes.

Objetivo

Ao participar do Curso SentinelOne Incident Responder, os participantes aprenderão a:

• Obtenha uma forte compreensão do console SentinelOne
• Funcionalidade de filtragem
• Funcionalidade de pesquisa
• Análise de ameaças
• Fluxo de trabalho de mitigação e resolução
• Gerenciando a lista negra
• Gerenciando exclusões
• Gerenciamento de riscos de aplicativos
• Shell Remoto
• Visibilidade Profunda
• Trabalhando com relatórios
• Caça a ameaças de infravermelho

Publico Alvo

• Analistas de segurança
• Operações de segurança
• Arquitetos de segurança

Pre-Requisitos

• Compreensão de redes e segurança de rede
• Compreensão dos conceitos fundamentais de segurança da informação
• Familiarize-se com o ambiente Microsoft Windows

Materiais

Conteúdo Programatico

Introduction

1. What is SentinelOne
2. SentinelOne Versions
3. SentinelOne Strengths
4. Underlying Technology
5. SentinelOne Ranger
6. SentinelOne Vigilance
7. SentinelOne Resources

S1 Capabilities and Management Console Overview

1. Getting Logged in
2. AI Engines
3. Automatic/Manual Response
4. Endpoint Firewall
5. Device Control
6. Incident Response
7. Threat Hunting
8. Ranger
9. Application Risk Management
10. Activity
11. Reports
12. Dashboard
13. Settings

SentinelOne Investigator

1. Getting Logged in
2. AI Engines Explained
3. Remediating Simple Malware
   1. Review incident
   2. Explore Incident
   3. Kill and quarantine
   4. Black list
   5. Un-Quarantine
   6. Exceptions
   7. Story line
   8. Remediation
4. Remediating Ransomware
   1. Review incident
   2. Explain Rollback
5. Device Control
6. Firewall Control Managing Blacklists
7. Managing Exclusions
   1. Hash
   2. Path
   3. Signer Identity
   4. File Type
   5. Browser
8. Analyzing Threats
   1. Threat Management
   2. Mitigation Actions
   3. On-Demand File Fetch
9. Full Disk Scan
10. Management Console Dashboard
    1. Working with Widgets
11. Application Risk Management
12. Remote Shell

Introduction to Regular Expressions

1. What is a Regular Expression?
2. Literals vs. Operators
3. RegEx Syntax
   1. Escape Characters
   2. Or Operators
   3. Sets
   4. Repetition Operators
   5. Metacharacters
   6. Character Classes
   7. Pattern Anchors
   8. Capturing & Non-Capturing Groups

Ranger Administration

1. Understanding Deep Visibility
2. How to Use Deep Visibility
3. Threat Hunting Query
4. Take Action from the Visibility Page
5. Deep Visibility Query Syntax
6. Deep Visibility Use Cases
7. Hunting Abnormal Behavior on an Endpoint
8. Responding to Incidents with Deep Visibility
9. Configuring Deep Visibility Data Collection
10. Saving Threat Hunting Queries and Watchlists
11. Working with Saved Deep Visibility Queries
12. Query with Custom Time Range
13. Managing the Browser Extension
14. Supported File Types for Deep Visibility

Mindset of a Threat Hunte

1. EC Council's 17 Phases
2. What is Threat Hunting
3. What a Blue Team does and which skills to take away from Blue Team experience
4. What a Red Team does and which skills to take away from Red Team experience
5. Intel
   1. Intel the process
   2. Intel the product
   3. ATT&CK MITRE
   4. Common Vocabulary
   5. Behaviors > Indicators
6. Paranoia
7. The cycle of thought that drives threat hunting
8. Supported File Types for Deep Visibility

Hunting, Not Searching

1. Difference between searching and hunting
2. Knowing when searching is OK
3. Building better hunts
4. Postulating
5. Creating and testing an attack hypothesis
6. IOCs, TTPs and Storyline

Advanced IR

1. Techniques
   1. S1QL
   2. Watchlists/WAR
   3. Hunter Extension
   4. Hermes
   5. SIEM/SOAR
2. Remote Shell
   1. Scripting and Remote Execution
   2. Architecture
   3. Execution
3. Reporting

Threat Hunting with SentinelOne

1. Containment and Acquisition
   1. Network Quarantine
   2. File Fetch
2. Alerts
   1. Incident Threats Page
   2. Notes
   3. MITRE Mapping
3. Deep Visibility
   1. Storyline
   2. 30 days of Event Data
4. Remote Shell
   1. Using other Forensic Kits (Scripts)
   2. Issuing WMI Commands
5. "Mark as Threat" Workflow
6. Rollback
7. Remediation
8. Device Control
9. Firewall Orchestration
10. Group Policies
11. API

Ranger Monitoring

1. Recognizing rogue systems
2. Categorizing unknown systems
3. Understanding search results