What a day! I have a headache, not because of the material or anything. Before I talk about what we did today I was thinking of sharing some usecases with you on where Sentinel would be highly beneficial to have. Imagine someone who is not an Administrator attempts to login as administrator, wouldn’t you want to know? If there were repeated login failures on a very important server or someone was trying to access a port which was designated for something important. Or Imagine an administrator assigns a non-administrator certain rights which are out of the oridnary you might want to know. An example that came up in class is: Someone who logs in at a Bank, withdraws or transfers a large amount of cash, and then changes their password. If a combination of such an event happened, imagine having a rule in place where an alert was triggered. All of these use cases were mentioned in the training so far.

Today we spent alot of time on writing correlation rules, learning the syntax (expressions and other things) which are unique to the sentinel product. We also spent a large ammount of time learning the administrative tools.

Due to my headache, Ill be more detailed in the next post.