WEBVTT 0:00:00.480000 --> 0:00:05.980000 Hello everyone and welcome to the Instant Response Detection course summary. 0:00:05.980000 --> 0:00:10.240000 So this is going to be the final video in this course before we jump to 0:00:10.240000 --> 0:00:15.680000 the next course which is tied in very closely to this one which is the 0:00:15.680000 --> 0:00:17.140000 Analysis course. 0:00:17.140000 --> 0:00:22.140000 So in this video like in all summary videos I'm going to give you you 0:00:22.140000 --> 0:00:25.640000 know summary we're going to go through what we covered in this course. 0:00:25.640000 --> 0:00:33.860000 We're also going to whether you know I covered everything and that you 0:00:33.860000 --> 0:00:38.260000 know what you're supposed to know and you're able to do what you know 0:00:38.260000 --> 0:00:41.760000 I laid out you are going to be able to do in the course overview video. 0:00:41.760000 --> 0:00:47.140000 So let's revisit the key concepts as outlined in the course overview. 0:00:47.140000 --> 0:00:50.700000 So firstly you know we have the role of detection in the Instant Response 0:00:50.700000 --> 0:00:55.920000 life cycle. We also have you know understanding events alerts and incidents 0:00:55.920000 --> 0:01:04.760000 and then log sources in detection rules and alert triage and seem operation. 0:01:04.760000 --> 0:01:09.320000 So from this point of view or from the perspective of the key concepts 0:01:09.320000 --> 0:01:16.000000 we pretty much covered each of these in its own section or to a certain 0:01:16.000000 --> 0:01:22.380000 extent in its own way in relation to detection in the you know an incident 0:01:22.380000 --> 0:01:23.600000 response specifically. 0:01:23.600000 --> 0:01:27.300000 So that's a recap of the key concepts. 0:01:27.300000 --> 0:01:32.660000 Now you know let's revisit the learning outcomes to again verify that 0:01:32.660000 --> 0:01:38.580000 you know we covered or I covered what I was supposed to in in assistance 0:01:38.580000 --> 0:01:43.560000 or in aid of giving you the knowledge, skills and abilities you know that 0:01:43.560000 --> 0:01:46.480000 I outlined in the course overview video. 0:01:46.480000 --> 0:01:52.160000 So these learning outcomes are unchanged from the course overview video. 0:01:52.160000 --> 0:01:57.620000 So firstly by the end of this study to identify and work with key log 0:01:57.620000 --> 0:02:02.020000 sources across environments and indeed we covered that to you know in 0:02:02.020000 --> 0:02:02.980000 quite a bit of detail. 0:02:02.980000 --> 0:02:07.360000 We went you know through the whole process of understanding the various 0:02:07.360000 --> 0:02:12.680000 log sources, how logging works on operating systems like Windows and Linux, 0:02:12.680000 --> 0:02:16.380000 the various other types of log sources like application logs, network 0:02:16.380000 --> 0:02:22.260000 logs etc. So I'm fairly or quite happy with the coverage of that or how 0:02:22.260000 --> 0:02:25.080000 we dealt with that learning outcome. 0:02:25.080000 --> 0:02:28.260000 Secondly you'll have the ability to use Splunk and ELG for centralized 0:02:28.260000 --> 0:02:32.460000 detection or you know as a theme as it were and indeed we covered this 0:02:32.460000 --> 0:02:38.260000 quite extensively both in the case of Splunk and ELG although you know 0:02:38.260000 --> 0:02:42.900000 with different objectives but you know the lab environments you know were 0:02:42.900000 --> 0:02:49.660000 useful in in providing you with in some in some cases all for some of 0:02:49.660000 --> 0:02:52.600000 you your first experience with these seams. 0:02:52.600000 --> 0:02:57.060000 So you know I think we covered that quite well and we went through you 0:02:57.060000 --> 0:03:03.200000 know various examples or scenarios that led to you understanding but also 0:03:03.200000 --> 0:03:08.500000 getting you know practical experience with you know creating rules whether 0:03:08.500000 --> 0:03:12.880000 they be you know stand and not creating rules specifically but creating 0:03:12.880000 --> 0:03:17.920000 searches and then based on those searches creating you know different 0:03:17.920000 --> 0:03:20.380000 rules and understanding that process. 0:03:20.380000 --> 0:03:25.560000 We also have the third learning outcome which is to do with the process 0:03:25.560000 --> 0:03:31.000000 of analyzing or having the ability to analyze alerts, IOCs and false positives 0:03:31.000000 --> 0:03:35.060000 and again we covered that in quite a bit of detail. 0:03:35.060000 --> 0:03:42.600000 IOCs we covered you know I would say quite well and you know when we got 0:03:42.600000 --> 0:03:46.120000 to that particular point in the course I actually showed you how IOCs 0:03:46.120000 --> 0:03:52.920000 relate to related to information contained in an event and why IOCs are 0:03:52.920000 --> 0:03:59.640000 important and the role they play in instant response and then finally 0:03:59.640000 --> 0:04:03.780000 you'll have the ability to build effective detection rules for real-world 0:04:03.780000 --> 0:04:08.920000 incidents which ties in to the second -line outcome and the process of 0:04:08.920000 --> 0:04:13.200000 writing searches so again we covered that both theoretically in quite 0:04:13.200000 --> 0:04:17.460000 a bit of detail but also practically through the use of the practical 0:04:17.460000 --> 0:04:19.640000 labs that we went through. 0:04:19.640000 --> 0:04:25.020000 So that's a recap of the learning outcomes and now let's take a look at 0:04:25.020000 --> 0:04:29.660000 some real-world applications or some next steps that you can take with 0:04:29.660000 --> 0:04:34.040000 regard to what you've learned in this particular course. 0:04:34.040000 --> 0:04:37.480000 So I would highly recommend that you study real-world instant reports 0:04:37.480000 --> 0:04:45.960000 and post-mortems to you specifically I would recommend that you analyze 0:04:45.960000 --> 0:04:50.420000 public breach reports for example you know from Mandian, Caesar or Microsoft 0:04:50.420000 --> 0:04:55.340000 in order to see how you know professionals or professional instant responders 0:04:55.340000 --> 0:05:01.220000 apply detection specifically detection but also detection and analysis 0:05:01.220000 --> 0:05:04.300000 techniques when dealing with real-world incidents. 0:05:04.300000 --> 0:05:11.160000 Now more specific to this particular course what are the next steps? 0:05:11.160000 --> 0:05:15.000000 Well I would highly recommend that you advance to the next or the following 0:05:15.000000 --> 0:05:19.480000 sequential course which is instant response analysis because it picks 0:05:19.480000 --> 0:05:23.900000 up from where we left off at the end of this course by now you know diving 0:05:23.900000 --> 0:05:30.820000 deeper into the analysis phase of the detection and analysis phase of 0:05:30.820000 --> 0:05:33.080000 instant response. 0:05:33.080000 --> 0:05:40.400000 I'd also highly recommend that you practice what you've been splunked 0:05:40.400000 --> 0:05:44.560000 with the course labs or the labs included in this course or other skilled 0:05:44.560000 --> 0:05:47.420000 live labs on the INE platform. 0:05:47.420000 --> 0:05:51.120000 With that being said that brings us to the end of this video and consequently 0:05:51.120000 --> 0:05:56.900000 the end of this course it was a you know great experience for me going 0:05:56.900000 --> 0:06:01.380000 through you know detection as a whole but also giving you an understanding 0:06:01.380000 --> 0:06:05.880000 of how it the role it plays in instant response and more specifically 0:06:05.880000 --> 0:06:11.760000 in the detection and analysis phase of the instant response life cycle. 0:06:11.760000 --> 0:06:15.580000 So that's going to be it for for this course and that's going to be it 0:06:15.580000 --> 0:06:21.320000 for me I'll be seeing you in the next course which deals with analysis 0:06:21.320000 --> 0:06:25.200000 or specific to analysis and with that being said that's going to be it 0:06:25.200000 --> 0:06:27.620000 and I'll be seeing you in the next course.