CODE: SPL_ASESGE
LÄNGE: 16 Hours (2 Tage)
PREIS: €1.500,00
This 13.5 hour course prepares architects and systems administrators to install and configure Splunk Enterprise Security (ES). It covers ES event processing and normalization,
deployment requirements, technology add-ons, dashboard dependencies, data models, managing risk, and customizing threat intelligence
At the end of this course you should be able to:
▪ Provide an overview of Splunk Enterprise Security (ES)
▪ Customize ES dashboards
▪ Examine the ES Risk framework and Risk-based Alerting (RBA)
▪ Customize the Investigation Workbench
▪ Understand initial ES installation and configuration ▪ Manage data intake and normalization for ES
▪ Create and tune correlation searches
▪ Configure ES lookups
▪ Configure Assets & Identities and Threat Intelligence
SOC Analyst
To be successful, students should have a solid understanding of the following courses:
▪ Using Splunk Enterprise Security
▪ What is Splunk?
▪ Intro to Splunk
▪ Using Fields
▪ Introduction to Knowledge Objects
▪ Creating Knowledge Objects
▪ Creating Field Extractions
▪ Enriching Data with Lookups
▪ Data Models
▪ Splunk Enterprise System Administration
▪ Splunk Enterprise Data Administration
Module 1 – Introduction to ES
▪ Review how ES functions
▪ Understand how ES uses data models
▪ Describe correlation searches, adaptive response actions, and notable events
▪ Configure ES roles and permissions
Module 2 – Security Monitoring
▪ Customize the Security Posture and Incident Review dashboards
▪ Create ad hoc notable events
▪ Create notable event suppressions
Module 3 – Risk-Based Alerting
▪ Give an overview of Risk-Based Alerting (RBA)
▪ Explain risk scores and how they can be changed
▪ Review the Risk Analysis dashboard
▪ Describe annotations
▪ View Risk Notables and risk information
Module 4 – Incident Investigation
▪ Review the Investigations dashboard
▪ Customize the Investigation Workbench
▪ Manage investigations
Module 5 – Installation
▪ Give an overview of general ES install requirements
▪ Explain the different add-ons and where they are installed
▪ Provide ES pre-installation requirements
▪ Identify steps for downloading and installing ES
Module 6 – General Configuration
▪ Set general configuration options
▪ Configure local and cloud domain information
▪ Work with the Incident Review KV Store
▪ Customize navigation
▪ Configure Key Indicator searches
Module 7 – Validating ES Data
▪ Verify data is correctly configured for use in ES
▪ Validate normalization configurations
▪ Install additional add-ons
Module 8 – Custom Add-ons
▪ Ingest custom data in ES
▪ Create an add-on for a custom sourcetype
▪ Describe add-on troubleshooting
Module 9 – Tuning Correlation Searches
▪ Describe correlation search operation
▪ Customize correlation searches
▪ Describe numeric vs. conceptual thresholds
Module 10 – Creating Correlation Searches
▪ Create a custom correlation search
▪ Manage adaptive responses
▪ Export/import content
Module 11 – Asset & Identity Management
▪ Review the Asset and Identity Management interface
▪ Describe Asset and Identity KV Store collections
▪ Configure and add asset and identity lookups to the interface
▪ Configure settings and fields for asset and identity lookups
▪ Explain the asset and identity merge process
▪ Describe the process for retrieving LDAP data for an asset or identity lookup
Module 12 – Managing Threat Intelligence
▪ Understand and configure threat intelligence
▪ Use the Threat Intelligence Management interface
▪ Configure new threat lists
Module 13 – Supplemental Apps
▪ Review apps to enhance the capabilities of ES including, Mission Control, SOAR, UBA, Cloud-based Streaming Analytics, PCI Compliance, Fraud Analytics, and Lookup File Editor