Skip to main content


Administering Splunk Enterprise Security

Course Description

This 13.5-hour course prepares architects and systems administrators to install, configure and manage Splunk Enterprise Security. It covers ES event processing and normalization, deployment requirements, technology add-ons, settings, risk analysis settings, threat intelligence and protocol intelligence configuration, and customizations.

Instructor-led Training Schedule

Prerequisite Knowledge

To be successful, students should have a solid understanding of the following courses:


  • What is Splunk?
  • Intro to Splunk
  • Using Fields
  • Scheduling Reports and Alerts
  • Visualizations
  • Leveraging Lookups and Subsearches
  • Search Under the Hood
  • Introduction to Knowledge Objects
  • Creating Knowledge Objects
  • Creating Field Extractions
  • Enriching Data with Lookups
  • Data Models
  • Introduction to Dashboards
  • Dynamic Dashboards

Or the following legacy courses:


  • Splunk Fundamentals 1
  • Splunk Fundamentals 2

Students should also understand the following advanced coursework:


  • Splunk System Administration
  • Splunk Data Administration
  • Architecting Splunk Enterprise Deployments (recommended but not required)

Course Topics

  • Monitoring and Investigation
  • Security Intelligence  
  • Forensics, Glass Tables and Navigation Control  
  • ES Deployment  
  • Installation and Configuration  
  • Validating ES Data 
  • Custom Add-ons 
  • Tuning Correlation Searches  
  • Creating Correlation Searches  
  • Lookups and Identity Management 
  • Threat Intelligence Framework 

Course Objectives

Module 1 – ES Introduction 
  • Overview of ES features and concepts
Module 2 – Monitoring and Investigation 
  • Security Posture
  • Incident Review
  • Notable events management
Module 3 – Security Intelligence 
  • Overview of security intel tools
Module 4 – Forensics, Glass Tables and Navigation Control 
  • Explore forensics dashboards
  • Examine glass tables
  • Configure navigation and dashboard permissions
Module 5 – ES Deployment 
  • Identify deployment topologies
  • Examine the deployment checklist
  • Understand indexing strategy for ES
  • Understand ES Data Models
Module 6 – Installation and Configuration 
  • Prepare a Splunk environment for installation
  • Download and install ES on a search head
  • Test a new install
  • Understand ES Splunk user accounts and roles
  • Post-install configuration tasks


Module 7 – Validating ES Data
  • Plan ES inputs
  • Configure technology add-ons


Module 8 – Custom Add-ons
  • Design a new add-on for custom data
  • Use the Add-on Builder to build a new add-on
Module 9 – Tuning Correlation Searches 
  • Configure correlation search scheduling and sensitivity
  • Tune ES correlation searches
Module 10 – Creating Correlation Searches 
  • Create a custom correlation search
  • Configuring adaptive responses
  • Search export/import
Module 11 – Lookups and Identity Management 
  • Identify ES-specific lookups
  • Understand and configure lookup lists
Module 12 – Threat Intelligence Framework 
  • Understand and configure threat intelligence
  • Configure user activity analysis