Description

Description
Turn raw flow records into actionable detections and clean reconstructions of who talked to whom, when, and how much. You will build time‑windowed features that reveal spikes, drops, and fan‑out patterns that signatures miss. We demonstrate heavy‑hitter logic, ratio alerts, moving medians, and burst detectors that withstand noisy daytime traffic. Case studies show how to capture lateral movement, exfiltration hints, and command‑and‑control beacons using only flows. You will practice incident triage: isolate a suspicious conversation, pivot by ASN, and build a concise timeline for responders. A focus on false positives teaches you to anchor alerts to context like business hours, maintenance windows, and known backup jobs. Included dashboards turn forensic steps into repeatable queries your team will actually reuse. By completion, you can explain findings in plain language backed by queries anyone on the team can rerun. The goal is not more alerts; it is better, defensible signals that speed resolution.
Format
Detection recipes, query library, case study videos, forensic timeline templates, ratio/median calculators
Duration
3.5 hours self‑paced
What You’ll Learn
– Heavy‑hitter & burst logic
– Beacon & exfil signals
– ASN and service pivots
– False‑positive reduction
– Forensic timelines
– Reusable query patterns
Target Audience
SecOps analysts, blue teams, and network engineers supporting investigations

Recipes + queries + videos + templates + calculators

3.5 hours

– Heavy hitters
– Beacons/exfil
– ASN pivots
– FP reduction
– Timelines
– Query patterns

SecOps, blue teams, network engineers