We provide virtual course about Administering Splunk Enterprise Security. This course prepares architects and systems administrators to install and configure Splunk Enterprise Security (ES).
Content:
It covers ES event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, managing risk, and customizing threat intelligence.
Course objectives:
• Examine how ES functions including data models, correlation searches, notable events and dashboards
• Create custom correlation searches
• Customize the Investigation Workbench
• Learn how to install or upgrade ES
• Learn the steps to setting up inputs using technology add-ons
• Fine tune ES Global Settings
• Customize risk and configure threat intelligence
Course outline:
Module 1 - Introduction to ES:
• Review how ES functions
• Understand how ES uses data models
• Configure ES roles and permissions
Module 2 - Security Monitoring:
• Customize the Security Posture and Incident Review dashboards
• Create ad hoc notable events
• Create notable event suppressions
Module 3 - Risk-Based Alerting:
• Explain Risk-Based Alerting
• Explain risk scores
• Review the Risk Analysis dashboard
• Use annotations
Module 4 - Incident Investigation:
• Review the Investigations dashboard
• Customize the Investigation Workbench
• Manage investigations
Module 5 - Installation:
• Prepare a Splunk environment for installation
• Download and install ES on a search head
• Test a new install
• Post-install configuration tasks
Module 6 - Initial Configuration:
• Set general configuration options
• Add external integrations
• Configure local domain information
• Customize navigation
• Configure Key Indicator searches
Module 7 - Validating ES Data:
• Verify data is correctly configured for use in ES
• Validate normalization configurations
• Install additional add-ons
Module 8 - Custom Add-ons:
• Design a new add-on for custom data
• Use the Add-on Builder to build a new add-on
Module 9 - Tuning Correlation Searches:
• Configure correlation search scheduling and sensitivity
• Tune ES correlation searches
Module 10 - Creating Correlation Searches:
• Create a custom correlation search
• Manage adaptive responses
• Export/Import content
Module 11 - Asset & Identity Management:
• Review the Asset and Identity Management interface
• Describe Asset and Identity KV Store collections
• Configure and add asset and identity lookups to the interface
• Configure settings and fields for asset and identity lookups
• Explain the asset and identity merge process
• Describe the process for retrieving LDAP data for an asset or identity lookup
Module 12 - Manage Threat Intelligence:
• Understand and configure threat intelligence
• Use the Threat Intelligence Management interface to configure a new threat list
Target audience:
This course is designed for architects and systems administrators that is responsible for installation and configuration of Splunk Enterprise Security.
Prerequisites:
To be successful, students should have completed the following courses:
• Splunk Enterprise System Administration
• Splunk Enterprise Data Administration
Language:
• English course material, english speaking instructor