This 13.5 hour course prepares architects and systems administrators to install and configure Splunk Enterprise Security (ES). It covers ES event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, managing risk, and customizing threat intelligence.

• Examine how ES functions including data models, correlation searches, notable events and dashboard
• Create custom correlation searches
• Customize the Investigation Workbench
• Learn how to install or upgrade ES
• Learn the steps to setting up inputs using technology add-ons
• Fine tune ES Global Settings
• Customize risk and configure threat intelligence

To be successful, students should have a solid understanding of the following:

• Splunk Enterprise System Administration
• Splunk Enterprise Data Administration

OR the following single-subject courses:

Students should also have completed the following courses:

Module 1 – Introduction to ES

• Review how ES functions
• Understand how ES uses data models
• Configure ES roles and permissions

Module 2 – Security Monitoring

• Customize the Security Posture and Incident Review dashboards 
• Create ad hoc notable events 
• Create notable event suppressions

Module 3 – Risk-Based Alerting

• Explain Risk-Based Alerting 
• Explain risk scores 
• Review the Risk Analysis dashboard 
• Use annotations

Module 4 – Incident Investigation

• Review the Investigations dashboard 
• Customize the Investigation Workbench 
• Manage investigations

Module 5 – Installation

• Prepare a Splunk environment for installation 
• Download and install ES on a search head 
• Test a new install 
• Post-install configuration tasks

Module 6 – Initial Configuration

• Set general configuration options 
• Add external integrations 
• Configure local domain information 
• Customize navigation
• Configure Key Indicator searches

Module 7 – Validating ES Data

• Verify data is correctly configured for use in ES 
• Validate normalization configurations 
• Install additional add-ons

Module 8 – Custom Add-ons

• Design a new add-on for custom data 
• Use the Add-on Builder to build a new add-on

Module 9 – Tuning Correlation Searches

• Configure correlation search scheduling and sensitivity
• Tune ES correlation searches

Module 10 – Creating Correlation Searches

• Create a custom correlation search 
• Manage adaptive responses 
• Export/Import content

Module 11 – Asset & Identity Management

• Review the Asset and Identity Management interface 
• Describe Asset and Identity KV Store collections 
• Configure and add asset and identity lookups to the interface 
• Configure settings and fields for asset and identity lookups 
• Explain the asset and identity merge process 
• Describe the process for retrieving LDAP data for an asset or identity lookup

Module 12 – Manage Threat Intelligence

• Understand and configure threat intelligence 
• Use the Threat Intelligence Management interface to configure a new threat list