Overview
This one-day course teaches you how to use the VMware Carbon Black® EDR™ product during incident response. Using the SANS PICERL framework, you will configure the server and perform an investigation on a possible incident. This course provides guidance on using Carbon Black EDR capabilities throughout an incident with an in-depth, hands-on, scenario-based lab.
Prerequisites
This course requires completion of the following course:
Who Should Attend?
Security operations personnel, including analysts and incident responders
Course Outline
- Introductions and course logistics
- Course objectives
- Framework identification and process
- Implement the Carbon Black EDR instance according to organizational requirements
- Use initial detection mechanisms
- Process alerts
- Proactive threat hunting
- Incident determination
- Incident scoping
- Artifact collection
- Investigation
- Hash banning
- Removing artifacts
- Continuous monitoring
- Rebuilding endpoints
- Getting to a more secure state
- Tuning Carbon Black EDR
- Incident close out
