Skip to main content


Administering Splunk Enterprise Security

Course Description

This 13.5 hour course prepares architects and systems administrators to install and configure Splunk Enterprise Security (ES). It covers ES event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, managing risk, and customizing threat intelligence.

Instructor-led Training Schedule

Prerequisite Knowledge

To be successful, students should have a solid understanding of the following:

if on-prem:

  • Splunk Enterprise System Administration
  • Splunk Enterprise Data Administration

if on cloud:

  • Splunk Cloud Administration

and the following single-subject courses:

  • What is Splunk?
  • Intro to Splunk
  • Using Fields
  • Visualizations
  • Search Under the Hood
  • Intro to Knowledge Objects
  • Introduction to Dashboards
  • Creating Knowledge Objects
  • Enriching Data with Lookups
  • Data Models

The above single-subject courses may be replaced with prior completion of the following legacy courses:

  • Splunk Fundamentals 1
  • Splunk Fundamentals 2

Course Topics

  • Examine how ES functions including data models, correlation searches, notable events, and dashboards
  • Create custom correlation searches
  • Customize the Investigation Workbench
  • Learn how to install or upgrade ES
  • Learn the steps to setting up inputs using technology add-ons
  • Fine tune ES Global Settings
  • Customize risk and configure threat intelligence

Course Objectives

Module 1 – ES Introduction 
  • Review how ES functions
  • Understand how ES uses data models
  • Configure ES roles and permissions
Module 2 – Security Monitoring
  • Customize the Security Posture and Incident Review dashboards
  • Create ad hoc notable events
  • Create notable event suppressions
Module 3 – Risk-Based Alerting
  • Explain Risk-Based Alerting
  • Explain risk scores
  • Review the Risk Analysis dashboard
  • Use annotations
Module 4 – Incident Investigation
  • Review the Investigations dashboard
  • Customize the Investigation Workbench
  • Manage investigations
Module 5 – Installation
  • Prepare a Splunk environment for installation
  • Download and install ES on a search head
  • Test a new install
  • Post-install configuration tasks
Module 6 – Initial Configuration
  • Set general configuration options
  • Add external integrations
  • Configure local domain information
  • Customize navigation
  • Configure Key Indicator searches
Module 7 – Validating ES Data
  • Verify data is correctly configured for use in ES
  • Validate normalization configurations
  • Install additional add-ons
Module 8 – Custom Add-ons
  • Design a new add-on for custom data
  • Use the Add-on Builder to build a new add-on
Module 9 – Tuning Correlation Searches 
  • Configure correlation search scheduling and sensitivity
  • Tune ES correlation searches
Module 10 – Creating Correlation Searches
  • Create a custom correlation search
  • Manage adaptive responses
  • Export/import content
Module 11 – Asset & Identity Management
  • Review the Asset and Identity Management interface
  • Describe Asset and Identity KV Store collections
  • Configure and add asset and identity lookups to the interface
  • Configure settings and fields for asset and identity lookups
  • Explain the asset and identity merge process
  • Describe the process for retrieving LDAP data for an asset or identity lookup
Module 12 – Managing Threat Intelligence
  • Understand and configure threat intelligence
  • Use the Threat Intelligence Management interface to configure a new threat list