Administering SplunkEnterprise Security
Duration : 2 Days (16 Hours)
Administering SplunkEnterprise Security Course Overview:
This course is designed to prepare architects and systems administrators for the installation and configuration of Splunk Enterprise Security (ES). It covers various aspects of ES, including event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, risk management, and customizing threat intelligence.
Intended Audience:
- Splunk Architects: Individuals responsible for designing Splunk Enterprise Security (ES) implementations.
- Systems Administrators: Professionals involved in the installation, configuration, and management of Splunk ES.
- Security Practitioners: Those responsible for security monitoring, incident investigation, and risk management.
- Splunk Administrators: Individuals managing Splunk environments and data sources.
- Threat Intelligence Analysts: Professionals involved in configuring and managing threat intelligence in Splunk ES.
- IT Professionals: Including those responsible for network and system security.
- Anyone interested in becoming proficient in the deployment and configuration of Splunk Enterprise Security.
Learning Objectives of Administering SplunkEnterprise Security:
- Overview of Splunk Enterprise Security (ES)
- Customizing ES Dashboards
- Examining the ES Risk Framework and Risk-based Alerting (RBA)
- Customizing the Investigation Workbench
- Initial ES Installation and Configuration
- Managing Data Intake and Normalization for ES
- Creating and Tuning Correlation Searches
- Configuring ES Lookups
- Configuring Assets & Identities
- Configuring Threat Intelligence
Module 1: Introduction to ES
- How ES functions
- ES use of data models
- Correlation searches, adaptive response actions, and notable events
- Configuring ES roles and permissions
Module 2: Security Monitoring
- Customizing Security Posture and Incident Review dashboards
- Creating ad hoc notable events
- Creating notable event suppressions
Module 3: Risk-Based Alerting
- Overview of Risk-Based Alerting (RBA)
- Changing risk scores
- Risk Analysis dashboard
- Annotations
- Viewing Risk Notables and risk information
Module 4: Incident Investigation
- Reviewing the Investigations dashboard
- Customizing the Investigation Workbench
- Managing investigations
Module 5: Installation
- General ES installation requirements
- Add-ons and their installation locations
- ES pre-installation requirements
- Steps for downloading and installing ES
Module 6: General Configuration
- Setting general configuration options
- Configuring local and cloud domain information
- Working with the Incident Review KV Store
- Customizing navigation
- Configuring Key Indicator searches
Module 7: Validating ES Data
- Verifying data configuration for ES
- Validating normalization configurations
- Installing additional add-ons
Module 8: Custom Add-ons
- Ingesting custom data in ES
- Creating an add-on for a custom sourcetype
- Add-on troubleshooting
Module 9: Tuning Correlation Searches
- Correlation search operation
- Customizing correlation searches
- Numeric vs. conceptual thresholds
Module 10: Creating Correlation Searches
- Creating custom correlation searches
- Managing adaptive responses
- Exporting/importing content
Module 11: Asset & Identity Management
- Reviewing the Asset and Identity Management interface
- Asset and Identity KV Store collections
- Configuring and adding asset and identity lookups to the interface
- Configuring settings and fields for asset and identity lookups
- Asset and identity merge process
- Retrieving LDAP data for asset or identity lookup
Module 12: Managing Threat Intelligence
- Configuring threat intelligence
- Using the Threat Intelligence Management interface
- Configuring new threat lists
Module 13: Supplemental Apps
- Reviewing apps to enhance ES capabilities, including Mission Control, SOAR, UBA, Cloud-based Streaming Analytics, PCI Compliance, Fraud Analytics, and Lookup File Editor
Administering SplunkEnterprise Security Course Prerequisites:
To excel in this course, students should have a solid understanding of the following prerequisites:
- Using Splunk Enterprise Security
- What is Splunk?
- Intro to Splunk
- Using Fields
- Introduction to Knowledge Objects
- Creating Knowledge Objects
- Creating Field Extractions
- Enriching Data with Lookups
- Data Models
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
Discover the perfect fit for your learning journey
Choose Learning Modality
Live Online
- Convenience
- Cost-effective
- Self-paced learning
- Scalability
Classroom
- Interaction and collaboration
- Networking opportunities
- Real-time feedback
- Personal attention
Onsite
- Familiar environment
- Confidentiality
- Team building
- Immediate application
Training Exclusives
This course comes with following benefits:
- Practice Labs.
- Get Trained by Certified Trainers.
- Access to the recordings of your class sessions for 90 days.
- Digital courseware
- Experience 24*7 learner support.
Got more questions? We’re all ears and ready to assist!