RSA Intelligence-Driven Event Analysis


Participants learn about intelligence-driven SOC processes, standard operating procedures (SOPs), and monitoring tools. They learn to recognize the formats associated with the various sources of information available in a network environment. The program follows the end-to-end workflow of a Security Analyst, including all appropriate steps that are needed to handle each type of identified security incident.


02 days (16 hours)

Course Objectives

Upon completing the program, participants should be able to:

  • Identify the roles and responsibilities in a SOC.
  • Interpret sources of information in a SOC.
  • Describe how Security Analysts interact with information and data in the SOC environment.
  • Monitor incoming event queues for potential security events and/or incidents using various security
  • tools per operational procedures.
  • Perform initial investigation and triage of potential incidents.
  • Investigate/analyze an incident.
  • Escalate an incident for further analysis aligned to SOPs.
  • Document and communicate investigative results aligned to escalation and/or handoff SOPs.
  • Walk through an incident from alert to escalation to closure.
  • Apply concepts that are learned in the classroom setting to their specific working environment
Who should attend

IT professionals with 2 to 3 years of experience in a troubleshooting role, such as a systems/network engineer, a system administrator, network operations analyst, or a newly-hired security analyst. Knowledge of security fundamentals is required.

Course outline

    1.     Roles and Responsibilities in a Security Operations Center

    • Describe the purpose of a Security Operations Center (SOC) and its basic structure.
    • Define an event and an incident and describe the difference between the two terms.
    •  Identify the roles and responsibilities in a SOC.
    • Name some of the tools that are commonly used to monitor events in the SOC.
    • Outline some of the key components in the incident processing workflow

    2.     Interpreting Sources of Information

    • Diagram the components and tools of technical environment you are working in
    • Categorize sources of information available to a security analyst
    • Recognize information formats
    • Establish the context of the observed information/data
    • Assimilate external threat data and threat intelligence
    • Apply internal and external sources of intelligence to an incident

    3.     Interacting with Information (Identifying Events)

    • Become the ‘eyes on glass’
    • Analyze logs from distributed system and network security devices
    • Monitor all alerting systems
    • Inspect network packet data
    • View information using a console

    4.     Correlating Events

    • Define event correlation o Use several correlation engines
    • Assist in the identification of potential computer and communications security issues
    • Correlate events and incidents with knowledge base of historical events and incidents

    5.     Triaging Events

    • Follow the triage process
    • Prioritize incidents
    • Apply standard operating procedures

    6.     Analyzing incidents using sources of information

    • Explain the incident – is your system infected?
    • Demonstrate fundamental understanding of all standard information sources
    • Determine whether an incident occurred and handle appropriately

    7.     Escalation and Handoff

    • Escalate an event for further analysis to the incident handler
    • Follow the SLA to resolution or escalation
    • Standard operating procedures and analysis

    8.     Documenting and Communicating Issues

    • Update the internal knowledge base and wiki
    • Perform maintenance activities on security related databases
    •  Assimilate external threat data and threat intelligence
    • Học trực tuyến

    • Học tại Hồ Chí Minh

    • Học tại Hà Nội

    Các khóa học khác