This 13.5 hour course prepares architects and systems administrators to install and configure Splunk Enterprise Security (ES). It covers ES event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, managing risk, and customizing threat intelligence.

-Examine how ES functions including data models, correlation searches, notable events and dashboards

-Create custom correlation searches

-Customize the Investigation Workbench

-Learn how to install or upgrade ES

-Learn the steps to setting up inputs using technology add-ons

-Fine tune ES Global Settings

-Customize risk and configure threat intelligence

To be successful, students should have a solid understanding of the following:

• Splunk Enterprise System Administration
• Splunk Enterprise Data Administration

OR the following single-subject courses:

Students should also have completed the following courses:

Module 1 – Introduction to ES

• Review how ES functions
• Understand how ES uses data models
• Configure ES roles and permissions

Module 2 – Security Monitoring

• Customize the Security Posture and Incident Review dashboards
• Create ad hoc notable events
• Create notable event suppressions

Module 3 – Risk-Based Alerting

• Explain Risk-Based Alerting
• Explain risk scores 
• Review the Risk Analysis dashboard
• Use annotations

Module 4 – Incident Investigation

• Review the Investigations dashboard
• Customize the Investigation Workbench
• Manage investigations

Module 5 – Installation

• Prepare a Splunk environment for installation
• Download and install ES on a search head
• Test a new install
• Post-install configuration tasks

Module 6 – Initial Configuration

• Set general configuration options
• Add external integrations
• Configure local domain information
• Customize navigation
• Configure Key Indicator searches

Module 7 – Validating ES Data

• Verify data is correctly configured for use in ES
• Validate normalization configurations
• Install additional add-ons

Module 8 – Custom Add-ons

• Design a new add-on for custom data
• Use the Add-on Builder to build a new add-on

Module 9 – Tuning Correlation Searches

• Configure correlation search scheduling and sensitivity
• Tune ES correlation searches

Module 10 – Creating Correlation Searches

• Create a custom correlation search
• Manage adaptive responses
• Export/Import content

Module 11 – Asset & Identity Management

• Review the Asset and Identity Management interface
• Describe Asset and Identity KV Store collections
• Configure and add asset and identity lookups to the interface
• Configure settings and fields for asset and identity lookups
• Explain the asset and identity merge process
• Describe the process for retrieving LDAP data for an asset or identity lookup

Module 12 – Manage Threat Intelligence

• Understand and configure threat intelligence
• Use the Threat Intelligence Management interface to configure a new threat list