Hunting with OSSEC

Course Description

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points. During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. Then I will demonstrate how to deploy specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk /etc…

Course contents

Day 1

  • Hunting & OSINT
  • OSSEC 101
  • Decoder & Rules
  • Fine tuning alerts
  • Enrichment
  • Hunting with OSSEC

Day 2

  • Hunting on Windows
  • Active-Response
  • Logging & Vizualization
  • Extra examples

Target audience

Blueteam, Security Analysts & defenders


Students are expected to have a basic knowledge of:

  • Linux & Windows system administration
  • TCP/IP networking
  • General security

To attend the training, no specific hardware is required. Labs will be provided “in the cloud” (no local VM’s). Your laptop just needs:

  • A wireless NIC
  • A SSH client
  • A RDP client (Windows Remote Desktop)
  • A browser

Trainer Biography

Xavier Mertens is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, threat hunting, OSINT). Besides his daily job, Xavier is also a security blogger (, a SANS Internet Storm Center Senior Handler ( and co-organizer of the BruCON ( security conference.

Twitter : @xme