Explore the worlds best online cybersecurity training with OnDemand - view a Demo Today!


SEC450: Blue Team Fundamentals: Security Operations and Analysis New

Is your organization looking for a quick and effective way to onboard new Security Analysts, Engineers, and Architects? Do your Security Operations Center (SOC) managers need additional technical perspective on how to improve analysis quality, reduce turnover, and run an efficient SOC?

SEC450 is an accelerated on-ramp for new cyber defense team members and SOC managers. This course introduces students to the tools common to a defender's work environment, and packs in all the essential explanations of tools, processes, and data flow that every blue team member needs to know.

Students will learn the stages of security operations: how data is collected, where it is collected, and how threats are identified within that data. The class dives deep into tactics for triage and investigation of events that are identified as malicious, as well as how to avoid common mistakes and perform continual high-quality analysis. Students will learn the inner workings of the most popular protocols, and how to identify weaponized files as well as attacks within the hosts and data on their network.

The course employs practical, hands-on instruction using a simulated SOC environment with a real, fully-integrated toolset that includes:

  • Security Information and Event Management (SIEM)
  • An incident tracking and management system
  • A threat intelligence platform
  • Packet capture and analysis
  • Automation tools

While cyber defense can be a challenging and engaging career, many SOCs are negatively affected by turnover. To preemptively tackle this problem, this course also presents research-backed information on preventing burnout and how to keep engagement high through continuous growth, automation, and false positive reduction. Students will finish the course with a full-scope view of how collection and detection work, how SOC tools are used and fit together, and how to keep their SOC up and running over the long term.

Course Syllabus


This day starts with an introduction to the blue team, the mission of a SOC, and how to understand an organization's threat model and risk appetite. It is focused on top-down learning to explain the mindset of an analyst, the workflow, and monitoring tools used in the battle against attackers. Throughout this course day students will learn how SOC information management tools fit together, including incident management systems, threat intelligence platforms, SIEMs, and SOAR tools. We end the day describing the various groups of attackers, how their methods differ, and their motivations.

CPE/CMU Credits: 6

  • Introduction to the Blue Team Mission
    • What is a SOC? What is the mission?
    • Why are we being attacked?
    • Modern defense mindset
    • The challenges of SOC work
  • SOC Overview
    • The people, process, and technology of a SOC
    • Aligning the SOC with the business
    • SOC functional components and organizational chart
    • Tiered vs. tierless SOCs
    • Important operational documents
  • Defensible Network Concepts
    • Understanding what it takes to be defensible
    • Network security monitoring (NSM) concepts
    • NSM event collection
    • Network zones
    • NSM at all network layers
    • Continuous security monitoring (CSM) concepts
    • CSM event collection
    • Monitoring sources overview
    • Data formats and centralization
    • Collecting data vs. metadat
  • Events, Alerts, Anomalies, and Incidents
    • Event collection
    • Event log flow
    • Alert collection
    • Alert triage and log flow
    • Alerts vs. anomalies
    • Alert triage workflow and incident creatio
  • Incident Management Systems
    • SOC data organization tools
    • Incident management systems options and features
    • Data flow in incident management systems
    • Case creation, alerts, observables, playbooks, and workflow
    • Incident categorization framework
  • Threat Intelligence Platforms
    • What is cyber threat intelligence?
    • Threat data vs. information vs. intelligence
    • Threat intel platform options and features
    • Event creation, attributes, correlation, and sharin
  • SIEM
    • Benefits of data centralization
    • SIEM options and features
    • SIEM searching, visualizations, and dashboards
    • Use cases and use case databases
  • Automation and Orchestration
    • How SOAR works and benefits the SOC
    • Options and features
    • SOAR value-adds and API interaction
    • Data flow between SOAR and the SIEM, incident management system, and threat intelligence platform
  • Who Are Your Enemies?
    • Who's attacking us and what do they want?
    • Opportunistic vs. targeted attackers
    • Hacktivists, insiders, organized crime, governments
    • Motivation by attacker group
    • Case studies of different attack groups
    • Attacker group naming conventions

Day 2 begins the technical journey of understanding the environment. To defend a network, you must thoroughly understand its architecture and the impact that it will have on analysis. This day introduces the concepts of a modern organization's network traffic flow by dissecting a basic home Internet connection and describing the features necessary for segmentation and monitoring. These modules ensure that students have a firm grasp on how network design affects their "view of the world" as an analyst.

We then go in-depth on common network services. Day 2 provides thorough working explanations of the current and upcoming features of DNS, HTTP(S), SMTP, and more, with a focus on the most important points for analysts to understand. These sections explain what normal data look like, as well as the common fields and areas that are used to spot anomalous behavior. The focus will be on quickly recognizing the common tricks used by attackers to turn these everyday services against us.

CPE/CMU Credits: 6

  • Corporate Network Architecture
    • Comparing home networks to your organization
    • Zones and traffic flow
    • Switches and VLANs
    • The logical vs. physical network
    • Points of visibility
    • Traffic capture
    • Home firewall vs. corporate next--gen firewall capabilities
    • Network architecture design ideals
    • Zero-trust architecture and least-privilege
    • Academia and other special cases
  • Traffic Capture and Visibility
    • Network traffic capture formats
    • NetFlow, Nfdump, and TShark
    • PCAP and layer 7 metadata collection
    • Wireshark and Moloch
  • Understanding DNS
    • Name to IP mapping structure
    • Request types
    • Setting records via registrars and on your own server
    • A and AAAA records
    • PTR records and when they might fail
    • TXT records and their uses
    • CNAME records and their uses
    • MX records for mail
    • SRV records
    • SOA records
    • NS records and glue records
    • DNS server and client types (stub resolvers, forwarding, caching, and authoritative servers)
    • Walkthrough of a recursive DNS resolution
  • DNS analysis and attacks
    • Detecting requests for malicious sites
    • Checking domain reputation, age, randomness, length, subdomains
    • Reverse DNS lookups and passive DNS
    • Shared hosting
    • Detecting DNS recon
    • Unauthorized server use
    • Domain shadowing
    • DNS tunneling
    • DNS traffic flow and analysis
    • IDNs, punycode, and lookalike domains
    • New DNS standards (DNS over TLS, DNS over HTTPS, DNSSEC)
  • Understanding HTTP and HTTPS
    • Decoding URLs
    • HTTP communication between client and server
    • Browser interpretation of HTTP
    • GET, POST, and other methods
    • Request headers
    • Response headers
    • Response codes
    • The path to the Internet
    • REST APIs
    • WebSockets
    • HTTP/2 & HTTP/3
  • Analyzing HTTP for Suspicious Activity
    • HTTP attack and analysis approaches
    • Credential phishing
    • Reputation checking
    • Sandboxing
    • URL and domain OSINT
    • Header and content analysis
    • User-agent deconstruction
    • Cookies
    • Base64 encoding works and conversion
    • File extraction and analysis
    • High-frequency GET/POST activity
    • Host headers and naked IP addresses
    • Exploit kits and malicious redirection
    • HTTPS and certificate inspection
    • SSL decryption -- what you can do with/without it
    • TLS 1.3
  • How SMTP and Email Attacks Work
    • Email delivery infrastructure
    • MUAs and MTAs
    • Ports and protocols for email sending and receiving
    • Reading email headers
    • Identifying spoofed email
    • Decoding attachments
    • How email spoofing works
    • How SPF works
    • How DKIM works
    • How DMARC works
  • Additional Important Protocols
    • SMB -- versions and typical attacks
    • DHCP for defenders
    • ICMP and how it is abused
    • FTP and attacks
    • SSH and attacks
    • PowerShell remoting

It is extremely difficult to succeed at cyber defense without knowing where and how your data is produced, so day 3 takes us down to the host, logging, and file level. Starting with a survey of common endpoint-based attack tactics, we orient students to the array of techniques that are used against their hosts. These first sections, followed by a section on defense in-depth, will give students an idea of how each step of the attack lifecycle aligns with its defensive tools, and what students can use to prevent and detection adversary attack advancement on their endpoints.

To further prepare students for attack detection, these sections are followed by a thorough review of how Linux and Windows logging works. Reviewing logging capabilities gives students perspective on which logs will be present on any given system, where to find them, and how to interpret them. We cover several high-importance log events and provide an in-depth explanation of how to interpret Windows Kerberos logs. The course day then turns to the parsing and enrichment of logs, as well as how the SIEM normalization and categorization processes work. These topics give a complete view of what happens from the moment a log is generated to when it shows up in our security tools.

Many new analysts struggle to understand how files are structured at a low level and therefore are hesitant when it comes to answering questions such as "could a file of type x be used for evil?" The final part of day 3 provides students with the concepts needed to reason through the answer, diving into files at the byte level. We explain the difference between binary and text-based files, and what makes a file a valid document, pdf, .exe, or something else. We also explain file-based exploitation methods and the features and formats most commonly seen in attacks. Concepts such as using strings, hashes, and file signatures are explained to show students how to quickly and accurately identify potentially malicious file samples. Students will finish this day understanding how different common file formats work, how they are typically weaponized, and how to quickly decide whether or not a given sample is likely to be malicious.

CPE/CMU Credits: 6

  • Endpoint Attack Tactics
    • Endpoint attack centricity
    • Initial exploitation
    • Service-side vs client-side exploits
    • Post-exploitation tactics, tools, and explanations -- execution, persistence, discovery, privilege escalation, credential access, lateral movement, collection, exfiltration
  • Endpoint Defense In-Depth
    • Network scanning and software inventory
    • Vulnerability scanning and patching
    • Anti-exploitation
    • Whitelisting
    • Host intrusion prevention and detection systems
    • File integrity monitoring
    • Privileged access workstations
    • Windows privileges and permissions
    • Endpoint detection and response tools
    • File and drive encryption
    • Data loss prevention
    • User and entity behavior analytics
  • How Windows Logging Works
    • Logging approaches
    • Channels, event IDs, and sources
    • XML format and event templates
    • Log collection path
    • Channels of interest
  • How Linux Logging Works
    • Syslog log format
    • Syslog daemons
    • Syslog network protocol
    • Log collection path
    • Additional command line auditing options
    • Application logging
    • Service vs. system logs
  • Interpreting Important Events
    • Windows and Linux login events
    • Process creation logs for Windows and Linux
    • Additional activity monitoring
    • Firewall events
    • Object and file auditing
    • Service creation and operation logging
    • New scheduled tasks
    • USB events
    • User creation and modification
    • PowerShell logging
  • Kerberos and Active Directory Events
    • Authentication and ticket granting service
    • How the Kerberos security model works
    • Kerberos authentication steps
    • Kerberos log events in detail
  • Log Collection, Parsing, and Normalization
    • Logging pipeline and collection methods
    • Windows vs. Linux log agent collection options
    • Parsing unstructured vs. structured logs
    • The role of parsing and log enrichment
    • Log normalization and categorization process
    • Log storage and retention lifecycle
  • Files Contents and Identification
    • File contents at the hex level
    • How to identify a file by the bytes
    • Magic bytes
    • Nested files
    • Strings -- uses, encoding options, and viewing
  • Identifying and Handling Suspicious Files
    • Safely handling suspicious files
    • Dangerous files types
    • Exploits vs. program "features"
    • Exploits vs. Payloads
    • Executables, scripts, office docs, RTFs, PDFs, and miscellaneous exploits
    • Hashing and signature verification
    • Signature inspection and safety of verified files
    • Inspection methods, detecting malicious scripts and other files

Now that the course has covered the ground required to understand the tools and data most frequently encountered by analysts, it's time to focus on analysis itself. This day will focus on how the analysis process works and explain how to avoid the common mistakes new analysts can slip into. We can combat the tendency to overlook the obvious by examining how our memory perception affects analysis and how cognitive biases cause us to fail to see what is right in front of us. The goal is to teach students not only how to think clearly, but also how to explain and leave a trail of how they reached their conclusions that can support future analysis and act as an audit trail.

In addition, we will cover many of the mental models and concepts used in information security from both the offensive and defensive perspectives. Students will then use these models to look at an alert queue and get a quick and intuitive understanding of which alerts may pose the biggest threat, and thus must be attended to first. Safe analysis techniques and operational security concerns are covered to ensure that we do not give up our tactical advantage during the investigation process. We'll discuss specifics on alert triage methods and prioritization, as well as investigation techniques, so that students will leave this day better prepared to understand their alert queues and perform error-free investigation.

CPE/CMU Credits: 6

  • Alert Triage and Prioritization
    • Priority for triage
    • Spotting late-stage attacks
    • Attack lifecycle models
    • Spotting exfiltration and destruction attempts
    • Attempts to access sensitive users, hosts, and data
    • Targeted attack identification
    • Lower-priority alerts
    • Alert validation
  • Perception and Investigation
    • Psychology of intelligence analysis
    • The role of perception in observation and analysis
    • Effects of expectation and new information
    • Challenges of accurate perception in the SOC environment
  • Memory and Investigation
    • How memory affects analysis
    • Long-term memory and mental schemas
    • The memory of experienced practitioners vs. novices
    • Efficiently committing info to long-term memory
    • How the limitations of short-term memory affect analysis
    • The fix for short-term memory limitations
    • Memory and experience vs. creativity
  • Mental Models for Information Security
    • Network and file encapsulation
    • Cyber kill chain, campaign analysis, indicator types, courses of action
    • Defense in-depth
    • NIST cybersecurity framework
    • Incident response cycle
    • Threat intelligence levels, models, and uses
    • The OODA loop for defenders
    • Diamond model
    • Attack modeling, graph/list thinking, attack trees
    • Pyramid of pain
  • Structured Analysis Techniques
    • Compensating for memory and perception issues
    • System 1 vs. system 2 thinking and battling tacit knowledge
    • Data-driven vs. concept-driven analysis
    • Structured analytic techniques
    • Idea generation and creativity, hypothesis development
    • Confirmation bias avoidance
    • Analysis of competing hypotheses
    • Diagnostic reasoning
    • Link analysis, event charting, event matrices
  • Analysis Tactics and OPSEC
    • Where to start
    • Evidence types
    • Alternative sources of network and host information
    • OPSEC vs. your threat model
    • Traffic light protocol and intel sharing
    • Permissible action protocol
    • Common OPSEC failures and how to avoid them
  • Network, File, and Event Alerts
    • Common delivery and exploit stage alerts
    • Common post-exploitation stage alerts
    • Common alert types by data source
    • File investigation
    • Hacking tools
    • Incident artifacts
    • Analyzing network events
    • Layer 3, 4, and 7 metadata and content inspection
    • Evil vs. hacked sites
    • Analysis of threat intelligence matches
    • Email-based attacks
    • Malicious attachment types
    • Assessing malicious links
    • Targeted vs. opportunistic attack alerts
    • Identifying and stopping business email compromise
  • Intrusion Discovery
    • Dwell time and intrusion type
    • Discerning attacker motivation
    • Assessing business risk
    • Choosing an appropriate response
    • Reacting to opportunistic/targeted attacks
    • Common missteps in incident response
  • Incident Closing and Quality Review
    • Steps for closing incidents
    • Quality review and peer feedback
    • Analytical completeness checks
    • Closed case classification
    • Attribution
    • Maintaining quality over time
    • Premortem and challenge analysis
    • Peer review, read team, team A/B analysis, and structured self-critique

Repetitive tasks, lack of empowerment or challenges, poorly designed manual processes -- analysts know these pains all too well. While these are just some of the common experiences in day-to-day work, they are major contributing factors to unhappiness and burnout that can cause turnover in a SOC. Do things have to be this way? Of course not, but it will take some understanding and work on your part to do things differently. This day focuses squarely on improving the efficiency and enthusiasm of working in SOCs by tackling the most common problems head on. Through process optimization, careful analytic design and tuning, and workflow efficiency improvements, we can eliminate many of these common pain points. This frees us from the repetitive work we loathe and allows us to focus on what we do best -- analysis! Having the time for challenging and novel work leads to a virtuous cycle of growth and engagement throughout the SOC -- and improving everyone's life in the process.

This day will focus on tuning your tools using clever analysis techniques and process automation to remove the monotonous and non-value-added activities from your day. We also cover containment activities, including the tools you can use and how to decide how to halt a developing incident or infection from the host or network angle. We'll wrap up the day with recommendations on skill growth, long-term career development, and how to get more involved in the cyber defense community.

CPE/CMU Credits: 6

  • Improving Life in the SOC
    • Expectations vs. common reality
    • Burnout and stress avoidance
    • Improvement through SOC human capital theory
    • The role of automation, operational efficiency, and metrics in burnout
    • Other common SOC issues
  • Analytic Features and Enrichment
    • Goals of analytic creation
    • Log features and parsing
    • High-feature vs. low-feature logs
    • Improvement through SIEM enrichment
    • External tools and other enrichment sources
  • New Analytic Design, Testing, and Sharing
    • Tolerance to false positives/negatives
    • The false positive paradox
    • Types of analytics
    • Feature selection for analytics
    • Matching with threat intel
    • Regular expressions
    • Common matching and rule logic options
  • Tuning and False Positive Reduction
    • Dealing with alert and runaway queues
    • How many analysts should you have?
    • Unneeded rules
    • Tuning from default rulesets
    • Low-priority alerts
    • Low-fidelity alerts
    • Log field statistical analysis
    • Using policy to raise fidelity
    • Sensitivity vs. specificity
    • Automation and fast lanes
  • Automation and Orchestration
    • The definition of automation vs. orchestration
    • What is SOAR?
    • SOAR product considerations
    • Common SOAR use cases
    • Enumeration and enrichment
    • Response actions
    • Alert and case management
    • The paradox of automation
    • DIY scripting
  • Improving Operational Efficiency and Workflow
    • Micro-automation
    • Form filling
    • Text expanders
    • Email templates
    • Smart keywords
    • Browser plugins
    • Text caching
    • JavaScript page modification
    • OS Scripting
  • Containing Identified Intrusions
    • Containment and analyst empowerment
    • Isolation options across network layers -- physical, link, network, transport, application
    • DNS firewalls, HTTP blocking and containment, SMTP
    • Host-based containment tools
  • Skill and Career Development
    • Learning through conferences, capture-the-flag challenges, and podcasts
    • Home labs
    • Writing and public speaking
    • Techniques for mastery and continual progress

The course culminates in a team-based design, detect, and defend the flag competition. Powered by NetWars, day six provides a full day of hands-on work applying the principles taught throughout the week. Your team will be challenged to progress through multiple levels and missions designed to ensure mastery of the concepts and data covered during the course.

CPE/CMU Credits: 6

Additional Information

Important! Bring your own system configured according to these instructions!

A properly configured sysstem is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

This is common sense, but we will say it anyway. Back-up your system before class. Better yet, do no have any sensitive data sstored on the system. SANS is not responsbile for your system or data.

Baseline Hardware Requirements


  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top lef-thand corner of your display and then click "About this Mac."


  • Intel's VT (VT-x) hardware virtualization technology should be enabled in yoru systems BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.


  • At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 thumb drives we provide in class. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.


  • 8 GB RAM is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About." Your RAM information will be toward the bottom of the page. To erify on a Mac, click the Apple logo at the top left- hand corner of your display and then click "About this Mac."

Hard Drive Free Space

  • 60 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Operating System

  • Your system must be running either Windows 10 or mac OS 10.12 or higher.

Additional Hardware Requirements

The requirements below are in additiona to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.


  • You will need a pair of headphones to listen, in the classroom, to the audio and video provided with this course.

Network, Wireless Connection

  • A wireless 802.11 B, G, N , or AC network adapter is required. This can be the internal wireless adapter in your system or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.

VMware Player

  • Install VMware Player 12, VMware Fusion 8, or VMware Workstation 12 (higher versions are also OK). Older versions will not work for this course. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products such as Hyper-V or VirtualBox, are not supported and will not work with the course material.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

This course is intended for those who are early in their career or new to working in a SOC environment, including:

  • Security Analysts
  • Incident Investigators
  • Security Engineers and Architects
  • Technical Security Managers
  • SOC Managers looking to gain additional technical perspective on how to improve analysis quality, reduce turnover, and run an efficient SOC
  • Anyone looking to start their career on the blue team

A basic understanding of TCP/IP and general operating system fundamentals is needed for this course. Being accustomed to the Linux command-line, network security monitoring, and SIEM solutions is a bonus. Some basic entry-level security concepts are assumed.

  • Custom distribution of the Linux Virtual Machine containing a pre-built simulated SOC environment
  • MP3 audio files of the complete course lecture
  • Introduction and walk-through videos of labs
  • USB 3.0 stick that includes the above and more

It is our belief that hands-on training is a crucial component of classroom learning, so each day of this course will include multiple hands-on exercises. To achieve the most realistic scenario possible, the class virtual machine is loaded with all the tools typically used in a SOC. Students will be introduced to the concepts, interconnections, and workflow associated with each of those tools. Throughout the class we will utilize a SIEM, threat intelligence platform, incident management and ticketing system, automation and orchestration tools, full packet capture, and analysis software, as well as multiple command line, open-source intelligence, and analysis tools. All of these tools have been set up and integrated to work with each other in order to re-create the workplace environment as closely as possible, allowing students to gain experience that they can directly translate to their own setup when they get back to the office.

Some of the highlights of what students will learn include:

  • How SIEM, threat intelligence platforms, incident management systems, and automation should connect and work together to provide a painless workflow for analysts
  • Analysis of common alert types including HTTP(S), DNS, and email-based attacks
  • Identification of post-exploitation attacker activity
  • Mental models for understanding alerts and attack patterns that can help to effectively prioritize alerts
  • How to perform high-quality, bias-free alert analysis and investigation
  • How to identify the most high-risk alerts, and quick ways to verify them
  • How logs are collected throughout the environment and the importance of parsing, enrichment, and correlation capability of the SIEM
  • How to create and tune threat detection analytics to eliminate false positives

Author Statement

"As someone who has held every position from entry-level analyst to SOC manager at a 100,000-employee company, I thoroughly understand the struggle of starting your first position in cyber defense. While there is a seemingly infinite amount of information to learn, there are certain central concepts that, when explained systematically, can greatly shorten the time required to become a productive member of the team. This course was written to pass this knowledge on to you, giving you both the high- and low-level concepts required to propel your career in cyber defense. It's packed with the concepts that I expected new employees to understand, as well the thought process we tried to cultivate throughout analysts' careers to ensure the success of the individual and the organization. I have also worked hard to distill the lessons I've learned through the years on staying excited and engaged in cyber defense work. While some believe SOC positions can feel like a grind, they do not need to be that way! This course goes beyond technical knowledge to also teach the concepts that, if implemented in your SOC, will keep you and your colleagues challenged, happy, and constantly growing in your day-to-day work, leading to a successful, life-long career on the blue team!"

John Hubbard

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

Price Options
7,020 USD