Category

Architecture
Logging
Upgrade
Device Profile
Device
Device
Device
Enrichment
Watchlist
Watchlist
Watchlist
Watchlist
Watchlist
Watchlist
Dashboard
Dashboard
Report
Report
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Alerts
Alerts
Alerts
Alerts
Alerts
Alerts
Alerts
Assets
MEF
MEF
Parser
Parser
Parser
Certifcation
Certifcation
Certifcation
Certifcation
Description
Learn Which Modules Exists
Learn where you can find information
Learn Upgrade Process
Define WMI profile
Connect Syslog Device
Connect Checkpoint Device
Connect Windows Server
Create LDAP Enrichment that will add the display name of the user
Create LDAP watchlist that contains the domain admins
Create LDAP watchlist that contains all disabled users
Create HTTP watchlist that contains ip`s from https://zeustracker.abuse.ch/blocklist.php?download=badips
Create static watchlist with value TTL 2 weeks for source username
Create static watchlist with value TTL 2 weeks for source ip`s
Create static watchlist with build-in Active Directory groups
Create monitor dashboard (monitor usually provide info regarding trends during time)
Create analyst dashboard (analyst usually user drilldown from chart to chart)
Create manager report covering all devices that are connected to the ESM
Create windows summary with the information you think is relevant
Create the rule "Admin group additions" for windows source
Create the rule "Admin group removal" for windows source
Create the rule "Audit log cleared" for windows source
Create the rule "Disabled user tried to login" for windows source
Create the rule "Multiple lockouts" for windows source
Create the rule "Password change for admin" for windows source
Create the rule "User disabled" for windows source
Create the rule "User enabled" for windows source
Create the rule "Attempt to reset generic admin account" for windows source
Create the rule "Bruteforce" for windows source
Create the rule "Generic admin account action" for windows source
Create the rule "Multiple failed logon station" for windows source
Create the rule "Multiple failed logon user" for windows source
Create the rule "Multiple failed logon administrative credentials" for windows source
Create the rule "Multiple logon user" for windows source
Create the rule "Multiple logon station" for windows source
Create the rule "Multiple user deletions" for windows source
Create the rule "Admin user locked" for windows source
Create the rule "User created" for windows source
Create the rule "User deleted" for windows source
Create the rule "User Created and Deleted in 30 min" for windows source
Create the rule "Denial of service" for FW source
Create the rule "Internet not via proxy" for FW source (proxy will be 172.16.10.1)
Create the rule "IP scan" for FW source
Create the rule "Login by unallowed user" for FW source
Create the rule "Multiple geolocation violation" for FW source
Create the rule "Policy change after work hours" for FW source
Create the rule "Port scan horizontal" for FW source
Create the rule "Port scan vertical" for FW source
Create the rule "SMTP not via Exchange" for FW source (try to identify the Exchange Server if there is any)
Create the rule "Virus spreading" for AV source (use normalization)
Create the rule "Virus found" for AV source (use normalization)
Create the rule "Another virus (7 days)" for AV source (use normalization)
Create the rule "Virus found on server" for AV source (use normalization)
Create the rule "Virus found with administrative credentials" for AV source (use normalization)
Create the rule "Virus event & Sensitive Port" for AV&FW source (use normalization)
Create the rule "Virus event & Malicious Connect" for AV&GTI source (use normalization)
Create the rule "Virus event & Multiple lockout" for AV&Windows source (use normalization)
Create the rule "Highly Infected Station" for AV source (use normalization)
Create an alert for each correaltion you created
Define autoacknoalge for "Virus found"
Define addition to relevant watchlists for "Virus found"
Configure a Report to be automaticly sent when "Virus spreading" happends (with all virus information from last 24 h
Create EMAIL template for "Admin group additions" that will contain all the relvant information
Create Alert for system failure
Create Alert for inactive systems
Configure the AD on 172.16.50.165 as asset source for the receiver
Install MEF agent on 172.16.50.165
Configure MEF source on the ESM side that will get logs from 172.16.50.165
Create a Parser for DEVICETYPE1
Create a Parser for DEVICETYPE2
Create a Parser for DEVICETYPE3
Finish Security Architect Certification (McAfee Site)
Finish Enterprise Security Manager (SIEM) 9.4 Essentials (Technical) Certification (McAfee Site)
Finish Security Information and Event Management 9.5 Delta Session I (Technical) Certification (McAfee Site)
Finish Security Information and Event Management 9.5.1 Dev-led Delta KT (Technical) Certification (McAfee Site)
Status Details
Description
Learn the system structure and services
Learn Which Modules Exists
Learn where you can find information
Learn Upgrade Process
Review Administration Module
Review Health and Wellness
Review Services
Review Log Collector Service
Connect Syslog Device
Connect Checkpoint Device
Connect Windows Server 172.16.50.164/165
Review Investigation Module
Add new profile in investigation
Add new meta group
Download sample of raw logs evidence
Create new file collection type - Copy an exist file and edit the content
Create new ODBC collection type - Copy an exist file and edit the content
Review Reporting Module - Understand Rules,Reports,Charts
Create monitor dashboard (monitor usually provide info regarding trends during time)
Create analyst dashboard (analyst usually user drilldown from chart to chart)
Create Report based on event count
Create windows summary with the information you think is relevant
Review Alert Module / ESA Rules Module
Create the alert "Admin group additions" for windows source
Create the alert "Admin group removal" for windows source
Create the alert "Audit log cleared" for windows source
Create the alert "Multiple lockouts" for windows source
Create the alert "Password change for admin" for windows source
Configure Rules to send mail
Configure new incident based on ESA Rule Triggered
Review Decoder Service
Create a new parser using ESI tool
Review Live module
Add a new feed
Download content from live
Add new subscription
Create the rule "User disabled" for windows source
Create the rule "User enabled" for windows source
Create the rule "Attempt to reset generic admin account" for windows source
Create the rule "Bruteforce" for windows source
Create the rule "Generic admin account action" for windows source
Create the rule "Multiple failed logon station" for windows source
Create the rule "Multiple failed logon user" for windows source
Create the rule "Multiple failed logon administrative credentials" for windows source
Create the rule "Multiple logon user" for windows source
Create the rule "Multiple logon station" for windows source
Create the rule "Multiple user deletions" for windows source
Create the rule "Admin user locked" for windows source
Create the rule "User created" for windows source
Create the rule "User deleted" for windows source
Create the rule "User Created and Deleted in 30 min" for windows source
Create the rule "Denial of service" for FW source
Create the rule "IP scan" for FW source
Create the rule "Login by unallowed user" for FW source
Create the rule "Multiple geolocation violation" for FW source
Create the rule "Policy change after work hours" for FW source
Create the rule "Port scan horizontal" for FW source
Create the rule "Port scan vertical" for FW source
Create the rule "SMTP not via Exchange" for FW source (try to identify the Exchange Server if there is any)
Create the rule "Virus spreading" for AV source (use normalization)
Create the rule "Virus found" for AV source (use normalization)
Create the rule "Virus found on server" for AV source (use normalization)
Create the rule "Virus found with administrative credentials" for AV source (use normalization)
Create the rule "Virus event & Sensitive Port" for AV&FW source (use normalization)
Create the rule "Virus event & Malicious Connect" for AV&GTI source (use normalization)
Create the rule "Virus event & Multiple lockout" for AV&Windows source (use normalization)
Create the rule "Highly Infected Station" for AV source (use normalization)
More Info
Decoder, Concentrator, Log Collector, ESA, Archiver, VLC, Legacy Collector
Investigation, Reporting, Dashboards, Incidents, Administration, ESA Rules
RSAPortal, Case Management, DownloadCentral
Install 10.6 / 11 Image in lab - will be downloaded from DownloadCentral

Concentrator, Decoder, Collector

Write advanced query, drill down events, know meta keys reference and uses

Located in: /etc/netwitness/ng/logcollection/content/file/ ,Explanation:https://community.rsa.com/docs/DOC-54570

Located in: /etc/netwitness/ng/logcollection/content/ODBC/ ,Edit the query,max value, understand the concept

Create Denied Traffic Dashboard based on FW Over 24h

Create dashboard for virus distribution by hostname
Example : failed logons by user -> User/Count , Display in Tabular/Pie

Rule library, Basic Rule Builder, Advanced Rule Builder

Config : Enabled Parsers

Download ESI tool from RSAPortal
Status
Category
Architecture
Logging
Upgrade
Device
Device
Device
Dashboard
Dashboard
Report
Report
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Correlations
Alerts
Alerts
Alerts
Parser
Parser
Description
Learn Which Modules Exists
Learn where you can find information
Learn Upgrade Process
Connect Syslog Device
Connect Checkpoint Device
Connect Windows Server
Create monitor dashboard (monitor usually provide info regarding trends during time)
Create analyst dashboard (analyst usually user drilldown from chart to chart)
Create manager report covering all devices that are connected to the ESM
Create windows summary with the information you think is relevant
Create the rule "Admin group additions" for windows source
Create the rule "Admin group removal" for windows source
Create the rule "Audit log cleared" for windows source
Create the rule "Multiple lockouts" for windows source
Create the rule "Password change for admin" for windows source
Create the rule "User disabled" for windows source
Create the rule "User enabled" for windows source
Create the rule "Attempt to reset generic admin account" for windows source
Create the rule "Bruteforce" for windows source
Create the rule "Generic admin account action" for windows source
Create the rule "Multiple failed logon station" for windows source
Create the rule "Multiple failed logon user" for windows source
Create the rule "Multiple failed logon administrative credentials" for windows source
Create the rule "Multiple logon user" for windows source
Create the rule "Multiple logon station" for windows source
Create the rule "Multiple user deletions" for windows source
Create the rule "Admin user locked" for windows source
Create the rule "User created" for windows source
Create the rule "User deleted" for windows source
Create the rule "User Created and Deleted in 30 min" for windows source
Create the rule "Denial of service" for FW source
Create the rule "IP scan" for FW source
Create the rule "Login by unallowed user" for FW source
Create the rule "Multiple geolocation violation" for FW source
Create the rule "Policy change after work hours" for FW source
Create the rule "Port scan horizontal" for FW source
Create the rule "Port scan vertical" for FW source
Create the rule "SMTP not via Exchange" for FW source (try to identify the Exchange Server if there is any)
Create the rule "Virus spreading" for AV source (use normalization)
Create the rule "Virus found" for AV source (use normalization)
Create the rule "Virus found on server" for AV source (use normalization)
Create the rule "Virus found with administrative credentials" for AV source (use normalization)
Create the rule "Virus event & Sensitive Port" for AV&FW source (use normalization)
Create the rule "Virus event & Malicious Connect" for AV&GTI source (use normalization)
Create the rule "Virus event & Multiple lockout" for AV&Windows source (use normalization)
Create the rule "Highly Infected Station" for AV source (use normalization)
Configure Offense to update watchlist
Configure Offense to send mail
Configure new Offense Template
Configure new device Type
Exract Proeprty
Status Details
https://www.securitylearningacademy.com/local/navigator/index.php?level=sisi01

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/IBM_security_QRad
https://www.ibm.com/docs/en/qsip/7.4?topic=devices-establishing-secure-communication-between-check-point-qrad
https://www.ibm.com/support/pages/qradar-agentless-windows-events-collection-using-msrpc-protocol-msrpc-faq
https://www.juniper.net/documentation/en_US/jsa7.4.0/jsa-pulse-app-guide/topics/concept/concept-pulse-app-c-qap

https://www.ibm.com/docs/en/qsip/7.3.2?topic=manager-managing-qradar-risk-reports
es/General/IBM_security_QRadar_DSM.html
cation-between-check-point-qradar
ng-msrpc-protocol-msrpc-faq
oncept/concept-pulse-app-c-qapps-pulsedashboard-dashboard-items.html
https://www.securitylearningacademy.com/local/navigator/index.php?level=embf01
Category Description Status Details
Platform Web learning
Platform Install Triton
Platform Triton Do\Don’t
Platform Triton basic configuration
Web Module Install Proxy
Web Module Create "Proxy test policy"
Web Module Assign category to "Proxy test policy"
Web Module Assign "Proxy test policy" to an LDAP user
Web Module Set filters to "Proxytest policy"
Web Module Manage permissions
Web Module Sync active directory to the web cloud
Web Module How to setup a cluster (all options)
Web Module View and create report
Web Module SIEM integration
Data Module Install DLP on Triton
Data Module Create "DLP test policy"
Data Module Create a file fingerprint job
Data Module Manage resources
Data Module Create patterns & phrases
Data Module Create file properties
Data Module Create a discovery policy
Data Module Configure resources
Data Module Configure backup
Data Module Manage incident
Data Module Configure mail alerts
Data Module Assign LDAP permissions
Data Module Deploy dlp policy
Data Module SIEM integration
Mail Module Install ESG
Mail Module Configure backup
Mail Module Set proxy server
Mail Module Create cluster
Mail Module Policy management
Mail Module Adding ESG to management server
Mail Module Adding cluster to DLP
Mail Module Create inbound\outbound policy
Mail Module SIEM integration
Mail Module Personal email setting
Advance How to debug
Advance How to open a support case
Category Description Status Details
Management server Install Management Server v "+sql"
Management server Get License V
Management server Create system tree / ad sync
Management server create new policies
Management server choose communication port pre XP/2003
Management server uncheck prevent full contant update
Management server verify liveupdate
Management server choose desired modules
Management server configure desired modules
Management server create custom install package
Management server deploy custom install package to small test group
Product modules virus and spyware module - review policy and rules
Product modules firewall module - review policy and rules
Product modules intrution prevention module - review policy and rules
Product modules App and device control module - review policy and rules
Product modules Host integrity module - review policy and rules
Product modules Liveupdate module - review policy and rules
Product modules Exceptions module - review policy and rules
Product modules MEM module - review policy and rules
Client Packages Create custom package for WIN
Client Packages Create custom package for MAC
Client Packages Deploy custom package
Sep 14.1 + 14.2 what's new - what's different
Theory intruduction to fileless malware
Theory why power shell is so dangerous and what can we do
Theory Coin miners
Theory
https://www.youtube.com/watch?v=sLu8N76KDNE
Category Description Status Details
DAM server Product admin guide - architecture
DAM server install DAM server on windows
DAM server update VA definitions
DAM server update VA-secutiry definitions
DAM server AD sync
DAM server Email and syslog configuration
DAM server ports and flow
DAM server Alert Tab
DAM server Vpatch Rules + Exceptions
DAM server Custom Rules + Exceptions
DAM server shared memory monitor
DAM server Network monitor
DAM server build reports using custom rules
DAM server build reports using vptach rules
DAM server SQL language - how to
DAM sensor install and remove sensor on windows system
DAM sensor install and remove sensor on linux system
DAM sensor install and remove sensor on unix system
DAM sensor ports and flow
Debug logs location
Debug Open service ticket with support
Theory intruduction to SQLmap
Category Description Status Details
Category Description Status
appliance install ATP ova + requrirments
appliance install atp license
appliance ATP endpoint - what is
appliance ATP network - what is
appliance ATP mail - what is
appliance ATP endpoint - connect to symantec manger DB
appliance ATP network - connect to backbone TAP\inline
appliance ATP mail - connect to Symantec Email Security.cloud
management sync AD
management configure Mail, syslog
management intrudction to Dashboard
management intrudction to Events
management intrudction to Incident manager
management intrudction to Policies
management intrudction to Reports
management events and incidents
management create whitelist for specific process
management create blacklist for specific process
management send file to cynic
management get pc full dump
management investigate an incident.
Details

only inline can prevent

Category
management server install
management server install
management server install
management server config
management server config
management server config
management server config
management server config
policy and deployments
policy and deployments
policy and deployments
policy and deployments
policy and deployments
policy and deployments
policy and deployments
policy and deployments
Queues and reports
Queues and reports
Queues and reports
Queues and reports
servers tasks
automatic responses
Mcafee ENS platform
Mcafee ENS threat prevention
Mcafee ENS adaptive
Mcafee ENS firewall
mcafee device control
mcafee device control
mcafee device control
mcafee device control
Mcafee for exchange
Mcafee for storage
Mcafee Agent Handler
intrudction to ECO system
Mcafee TIE
Mcafee DXL
Mcafee DXL fabric
Mcafee ATD + vATD
Mcafee MAR
Mcafee MAR
Mcafee MAR
Description Status
download files with customer GRANT
install EPO server+sql
install epo license
configure AD sync
intrudction to system tree - all tabs
install and configure mcafee agent
install extentions for desired products
intstall packages for desired products
configure policy
assign policy to relavent group
deploy small test group
client tasks
client tasks assigment rules
policy assigment + policy assigment rules
policy inheritance
server tasks
what is queue
what is report
using in server tasks
using in automatic responses
what should we enable?
what should we enable?
deploy and policy modification
deploy and policy modification
deploy and policy modification
deploy and policy modification
plug and play policy
Removable storage policy
defenition
policy and rule sets and rules
initial configuration and deployments
initial configuration and deployments
how to setup, repository configuration + ports
solution basics and initial configuration
solution basics and initial configuration
what is fabric, how to merge a few brokers
solution basics and initial configuration
solution basics and initial configuration
workspace + cloud bridge
active response search
Details

sql user preparation

default+
default+

on access & exploit prevention

DAC + real protect
block bridge
Category Description Status Details
ESM core role of ESM CORE
ESM core DO \ DON’T'S
ESM core how to install
ESM core how to configure
ESM core how to enable SSL
ESM console role of ESM CONSOLE
ESM console DO \ DON’T'S
ESM console how to install
ESM console how to configure
ESM console how to enable SSL
ESM console License and API key for Wildfire
Exploit Module what is EPM?
Exploit Module configure EPM
Exploit Module exclutions and whitelisting
Exploit Module EPMS'v2 release note
Malware Module restrictions, whatis? How to edit?
Malware Module hash'es verdict
Malware Module Upload sample to sandbox
Malware Module Read \ understand sandbox report
Local Analysis what is ? Why?
Local Analysis whitelisting how to?
Local Analysis contant version
Local Analysis HASH control module
Wildfire what does wildfire provide?
Wildfire how to configure
Wildfire max size limit
Wildfire Pros\Cons
Wildfire Quarntine Folder
Wildfire With Autofocus
Multi ESM how to
Multi ESM limitations
Multi ESM Load Balance \Redundency
Client Agent install and configure
Client Agent Service protection
Client Agent User Alerts
Client Agent Uninstall password
Client Agent ninja mode
Traps Database configure and install
Theory Attack chain
Theory kill chaing
Theory what is malware
Theory what is exploit
Theory what Is false positibe
Theory what is false negetive
Traps 4.2 Whats new in 4.2
Traps 5 Solution overview
Traps 5 AD sync app - what is and how to configure
Traps 5 Syslog app - what is and how to configure
Traps 5 Migration to 5
Traps 5 License ?
Theory Intrudction to Autofocus
Theory Intrudction to Magnifier