Duration: 2 hours
Level: Intermediate (familiarity with concepts in basic machine learning, SIEM/IDPS and CTI recommended)

Workshop outline

1. Introduction to IDPS-ESCAPE

• Overview of the IDPS-ESCAPE architecture: ADBox, Wazuh integration, and anomaly detection pipelines
• Use cases: user and entity behavior analytics (UEBA), and false-positive reduction
• Demonstration: Deploying ADBox for Multivariate Anomaly Detection
• Configure ADBox to ingest Wazuh alerts and resource metrics
• Train a custom MTAD-GAT model and monitor to detect suspicious behavior (UEBA)
• Visualize anomalies in Wazuh Dashboards and automate Wazuh alert enrichment

1. Introduction to SATRAP

• Overview of SATRAP and its application in cyber threat intelligence, plus an explanation of logic-based automated reasoning and its benefits
• Hands-On Lab: CTI analysis with SATRAP
• Setting up SATRAP in a controlled environment
• Creating and populating a CTI knowledge base
• Developing a playbook in the form of a Jupyter Notebook to demonstrate how we can benefit from the automated reasoning functions of the SATRAP Python CTI Analysis Toolbox in a step-by-step CTI investigation

1. Integration and best practices

• Strategies for integrating IDPS-ESCAPE and SATRAP with existing security systems
• Best practices for maintaining and updating these tools
• Q&A session to address participant queries and challenges

Target Audience

• SOC analysts and CTI teams seeking to enhance detection, investigation and mitigation capabilities
• Security engineers interested in SOAR automation and open-source tooling
• Researchers exploring practical applications of anomaly detection and automated reasoning
• Curious learners

Requirements

• A basic understanding of cybersecurity concepts and familiarity with security tools
• Laptop with Docker installed
• Basic Python and GNU/Linux experience (no advanced ML expertise required)