Course Content
It covers ES event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, managing risk, and customizing threat intelligence.
Who should attend
This 13.5-hour course prepares architects and systems administrators to install and configure Splunk Enterprise Security (ES).
Certifications
This course is part of the following Certifications:
Prerequisites
To be successful, students should have a solid understanding of the following courses:
- Splunk Fundamentals 1 and 2
Or the following single-subject courses:
- What is Splunk? (WIS)
- Intro to Splunk (ITS)
- Using Fields (SUF)
- Scheduling Reports & Alerts (SRA)
- Visualizations (SVZ)
- Leveraging Lookups and Subsearches (LLS)
- Search Under the Hood (SUH)
- Intro to Knowledge Objects (IKO)
- Creating Knowledge Objects (CKO)
- Creating Field Extractions (CFE)
- Enriching Data with Lookups (EDL)
- Data Models (SDM)
- Introduction to Dashboards (ITD)
- Dynamic Dashboards (SDD)
Students should also have completed the following courses:
Course Objectives
- Examine how ES functions including data models, correlation searches, notable events, and dashboards
- Review risk-based alerting
- Customize the Investigation Workbench
- Learn how to install or upgrade ES
- Fine tune ES Global Settings
- Learn the steps to setting up inputs using technology add-ons
- Create custom correlation searches
- Customize assets and identities
- Configure threat intelligence
Outline: Administering Splunk Enterprise Security (ASES)
Module 1 – Introduction to ES
- Review how ES functions
- Understand how ES uses data models
- Configure ES roles and permissions
Module 2 – Security Monitoring
- Customize the Security Posture and Incident Review dashboards
- Create ad hoc notable events
- Create notable event suppressions
Module 3 – Risk-Based Alerting
- Give an overview of risk-based alerting
- View Risk Notables and risk information on the Incident Review dashboard
- Explain risk scores and how an ES admin can change an object's risk score
- Review the Risk Analysis dashboard
- Describe annotations
Module 4 – Incident Investigation
- Review the Investigations dashboard
- Customize the Investigation Workbench
- Manage investigations
Module 5 – Installation
- Prepare a Splunk environment for installation
- Download and install ES on a search head
- Test a new install
- Post-install configuration tasks
Module 6 – Initial Configuration
- Set general configuration options
- Add external integrations
- Configure local domain information
- Customize navigation
- Configure Key Indicator searches
Module 7 – Validating ES Data
- Verify data is correctly configured for use in ES
- Validate normalization configurations
- Install additional add-ons
Module 8 – Custom Add-ons
- Design a new add-on for custom data
- Use the Add-on Builder to build a new add-on
Module 9 – Tuning Correlation Searches
- Configure correlation search scheduling and sensitivity
- Tune ES correlation searches
Module 10 – Creating Correlation Searches
- Create a custom correlation search
- Manage adaptive responses
- Export/import content
Module 11 – Asset & Identity Management
- Review the Asset and Identity Management interface
- Describe Asset and Identity KV Store collections
- Configure and add asset and identity lookups to the interface
- Configure settings and fields for asset and identity lookups
- Explain the asset and identity merge process
- Describe the process for retrieving LDAP data for an asset or identity lookup
Module 12 – Threat Intelligence Framework
- Understand and configure threat intelligence
- Use the Threat Intelligence Management interface to configure a new threat list