Security Onion 2 Detection Eng. & Analysis In-Depth (Virt.)1-4 Nov 2022

Actions Panel

Security Onion 2 Detection Eng. & Analysis In-Depth (Virt.)1-4 Nov 2022

This course equips Security Onion analysts, administrators, and engineers to identify detection gaps and develop technical solutions.

When and where

Date and time



Refund Policy

Contact the organizer to request a refund.
Eventbrite's fee is nonrefundable.

About this event

About Security Onion 2

Security Onion 2 is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes Playbook & Sigma, Fleet & Osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, Zeek, Wazuh, and many other security tools. Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

For more about Security Onion, please see

About the Course

This class uses a scenario-based approach to equip analysts, administrators, and security engineers with the skills to identify detection gaps and develop technical solutions which cover those gaps. The course is intended for graduates of the Security Onion Fundamentals class and existing Security Onion practitioners who want to get more out of their Security Onion deployment.

  • 4 full days of class instruction from the developers of Security Onion 2
  • 300+ pages of course material
  • Certificate of Completion delivered electronically

When is the class?

Tuesday, November 1, 2022, through Friday, November 4, 2022

8-hour class from 8:00 AM - 5:00 PM (Eastern Time) each day

When does registration close?

Registration closes Thursday, October 13, 2022.

Where is the class being held?

The class is being held virtually via WebEx.

What hardware, etc. will be required for the class?

Students will need a computer with a browser and Internet access.

Please check your machine's ability to participate in the course before registering:

Contact us with any questions about these requirements.

Which version of Security Onion will we be using?

Our virtual lab environment will the latest Security Onion version as of October 7, 2022.

The latest stable release can be found here:

What skills/knowledge should students have before attending this course?

Students should attend the free 2-hour Security Onion Essentials course before the first day of class. One topic covered by this course is building a Security Onion VM. Note that students do not need to build a Security Onion VM for this class. We will be using a pre-installed virtual lab.

Students should have an intermediate or higher understanding of networks, TCP/IP, and network application protocols such as DNS, HTTP, etc. 

Linux OS and command line knowledge/experience is recommended.

Basic knowledge of Windows operations and investigation artifacts is recommended.

Basic network and host intrusion analysis knowledge/experience is recommended.

Attendance at a previous Security Onion 2 Fundamentals for Analysts and Administrators class is recommended.

What's the cancellation policy?

Security Onion Solutions reserves the right to cancel this class up to one day after registration closes if the class does not meet a minimum number of students. If the class is canceled, the training ticket cost will be refunded.

What's the refund policy?

You may log into your Eventbrite account to request a refund up until the last day of ticket sales. Please use the "Request a Refund" button as shown here:

Are there discounts available?

For this course, we are offering a discount to active duty US military and active US Federal employees. We also offer discounts to members of ISSA and InfraGard. Contact us for more information.

What topics are covered in this class?

Note: Syllabus is subject to change

  • Abbreviated Architecture and Configuration
  • Administration, Optimization, and Troubleshooting
    • Managing Security Onion host firewalls
    • Performance Tuning
      • Adding more disk space
      • Implementing and reverting global/granular BPF
      • Suricata high performance settings
      • Pinning CPUs to Zeek and Suricata
      • Tuning Elasticsearch and Redis
    • Sending data to an external SIEM
  • Detection Engineering
    • Detection Engineering Cycle
    • Developing a Detection Playbook with Sigma rules
    • Building and implementing Osquery query packs
    • Zeek
      • Using Zeek scripts to carve out more than default file types
      • Implementing new Zeek scripts
    • Suricata
      • Creating custom NIDS rules
      • Using Suricata to generate metadata
      • Carving files
      • Filtering data
    • Implementing custom YARA rules in Strelka
    • Elastic Stack - Adding and parsing new data sources
    • Adding additional host visibility and telemetry
    • Integrations with external detections
  • Analysis
    • Analyst efficiencies and pivots - Security Onion Console (SOC)
    • Analyst workflows
    • Analysis with CyberChef
    • Using the Elasticsearch API - Querying Elasticsearch from the command line
    • Analyzing Zeek logs at the command line
  • Many hands-on labs and case studies