Sans SEC450 Blue Team Curriculum Sans SEC450 (Blue Team Operations & Defensive Analysis) 450.1: Blue Team Tools and Operations 1.SOC Overview 2.Defensible Network Concepts 3.Events, Alerts, Anomalies, and Incidents 4.Incident Management Systems 5.Threat Intelligence Platforms 6.SIEM and Automation 450.2: Understanding Your Network 1.Network Architecture 2.Understanding DNS 3.DNS Analysis and Attacks 4.Understanding HTTP 5.HTTP(S) Analysis and Attacks 6.Understanding SMTP and Email 7.Additional Network Protocols 450.3: Understanding Endpoints, Logs, and Files 1.Endpoint Attack Tactics 2.Endpoint Defense In Depth 3.How Windows Logging Works 4.How Linux Logging Works 5.Interpreting Important Events 6.Log Collection, Parsing, and Normalization 7.File Contents and Identification 8.Identifying and Handling Suspicious Files 450.4: Triage and Analysis 1. Alert Triage and Prioritization 2. Perception, Memory, and Investigation 3. Models and Concepts for Infosec 4. Structured Analytical Techniques 5. Analysis Questions and Tactics 6. Analysis OPSEC 7. Intrusion Discovery 8. Incident Closing and Quality Review 450.5: Continuous Improvement, Analytics, and Automation 1.Improving Life in the SOC 2.Analytic Features and Enrichment 3.New Analytic Design, Testing, and Sharing 4.Tuning and False Positive Reduction 5.Automation and Orchestration 6.Improving Operational Efficiency and Workflow 7.Containing Identified Intrusions ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
