SANS Live Training is Available In-Person OR Live Online! Explore Upcoming Events.

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Hear me SOAR - Using Elastic, ElastAlert and TheHive in an effective purple team pipeline

  • Wednesday, November 06, 2019 at 10:30 AM EST (2019-11-06 15:30:00 UTC)
  • Please Check Back

You can now attend the webcast using your mobile device!

  

Overview

As we've seen in previous webcasts, purple teaming can be highly automated by, for example, using Caldera. Specific attacks will test your defenses and detection mechanisms in place, this is however something which is performed at a specific point in time. Now what if a certain configuration change renders your defenses useless, allowing the attack to succeed, will you notice at any point in the future? This is where continuous purple teaming comes in, at a periodic interval your defenses will be tested after which an automatic alert, based on SIGMA rules, is triggered in your case management tool leveraging ElastAlert to link your Elastic stack to The Hive. This will not only allow you to get a reassurance that the implemented defenses are still functional, but it will also allow you to streamline (and partially automate) your response to such a potential attack.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.