This material has been designed to be taught in a classroom environment... hands-on 80% + talk 40% + slides 0% = 120% hard work
The online material is missing some of the contextual concepts and ideas that will be covered in class.
This course holds ~5 days of material for any intermediate-level dev-ops who has some experience with other security|monitoring tools and wants to learn Arkime. We believe these classes are perfect for anyone who wants a jump start in learning Arkime or who wants a more thorough understanding of it internals.
Analyzing the most recent Locked Shields dataset is an added bonus all participants get. Furthermore, in the class we've also had dedicated session by LS red teamers shining a light on what sneaky things they did in the recent exercise.
Arkime was formerly named Moloch, so the materials on this site may still refer to it as Moloch in various ways or forms. Same holds true for the Arkime codebase. Arkime is not meant to replace Intrusion Detection Systems (IDS). Arkime augments your current security infrastructure by storing and indexing network traffic in standard PCAP format, while also providing fast indexed access.
Provided timeline is preliminary and will develop according to the actual progress of the class. On-site participation only.
Attention: Initial start time of 13:00 has changed to 09:00 as communicated via e-mail.
-
08:30 Registration open
-
09:00 - 17:00
- Intro
- Singlehost
- LS26 overview
- Basic viewer and queries
- Alkeme - A Terminal UI for Arkime
- Intro to LS26 data capture
- Splitting LS BT traffic
- 09:00 - 17:00
- 09:30 - 12:00
- build from source
- Pikksilm
- WISE - Plugins
- Clustered elastic, multinode
- Clustering teamwork, cont
- evebox, scirius, kibana
- browse trough ...
- Arkime
- Arkime in GitHub
- Arkime FAQ
- Arkime learn
- InfoSec matters - Arkime FPC