Description

Description
Upgrade your flow analytics with context that makes detections trustworthy and fast to triage. You will enrich flows with DNS, asset inventory, user identity, and GeoIP while keeping storage and joins affordable. A field‑mapping guide shows where to attach tags, how to keep cardinality sane, and when to prefer lookup tables over in‑line expansion. We demonstrate service discovery for common ports that move, such as internal proxies and app gateways. You will implement allow‑lists for backup networks and watchlists for high‑risk destinations without drowning in exceptions. Hands‑on queries convert enrichment into triage speed: one click from alert to owner, role, and criticality. Dashboards include MITRE‑style groupings for lateral movement, persistence, and data staging behaviors visible in flows. By completion, your flow pipeline becomes a dependable first lens for security operations—not a noisy side channel. The package ships with red‑team replay examples to test your setup safely.
Format
Enrichment mapping sheets, lookup table samples, detection dashboards, red‑team replay pcaps, triage playbooks
Duration
4 hours self‑paced
What You’ll Learn
– DNS/asset/identity joins
– Cardinality control
– Allow‑lists & watchlists
– Service discovery patterns
– MITRE‑aligned flow views
– Triage acceleration
Target Audience
Security engineers, threat hunters, and network teams building context‑rich detections

Mapping sheets + lookups + dashboards + pcaps + playbooks

4 hours

– Enrichment joins
– Cardinality
– Lists
– Discovery
– MITRE views
– Faster triage

Security engineers, threat hunters, network teams