Course Description

This 13.5 hour course prepares architects and systems administrators to install, configure and manage Splunk Enterprise Security. It covers ES event processing and normalization, deployment requirements, technology add-ons, settings, risk analysis settings, threat intelligence and protocol intelligence configuration, and customizations.

Instructor-led Training Schedule

Course Prerequisites

  • Splunk Fundamentals 1
  • Splunk Fundamentals 2
  • Splunk System Administration
  • Splunk Data Administration
  • Architecting Splunk Enterprise Deployments (recommended but not required)

 

Course Topics

  • Transforming commands and visualization
  • Filtering and formatting 
  • Results
  • Correlating events
  • Knowledge objects
  • Fields (Field aliases, field extractions, calculated fields)
  • Tags and event types
  • Macros
  • Workflow actions
  • Data models
  • Splunk Common Information Model (CIM)
Course Objectives

Module 1 – ES Introduction 

  • Overview of ES features and concepts

Module 2 – Monitoring and Investigation 

  • Security Posture
  • Incident Review
  • Notable events management

Module 3 – Security Intelligence 

  • Overview of security intel tools

Module 4 – Forensics, Glass Tables and Navigation Control 

  • Explore forensics dashboards
  • Examine glass tables
  • Configure navigation and dashboard permissions

Module 5 – ES Deployment 

  • Identify deployment topologies
  • Examine the deployment checklist
  • Understand indexing strategy for ES
  • Understand ES Data Models

Module 6 – Installation and Configuration 

  • Prepare a Splunk environment for installation
  • Download and install ES on a search head
  • Test a new install
  • Understand ES Splunk user accounts and roles
  • Post-install configuration tasks

Module 7 – Validating ES Data

  • Plan ES inputs
  • Configure technology add-ons

Module 8 – Custom Add-ons

  • Design a new add-on for custom data
  • Use the Add-on Builder to build a new add-on

Module 9 – Tuning Correlation Searches 

  • Configure correlation search scheduling and sensitivity
  • Tune ES correlation searches

Module 10 – Creating Correlation Searches 

  • Create a custom correlation search
  • Configuring adaptive responses
  • Search export/import

Module 11 – Lookups and Identity Management 

  • Identify ES-specific lookups
  • Understand and configure lookup lists

Module 12 – Threat Intelligence Framework 

  • Understand and configure threat intelligence
  • Configure user activity analysis