Administering Splunk Enterprise Security 7.0
Upcoming Classes
Online
Instructor-led online training
Location | May 2022 | Jun 2022 | Jul 2022 | Aug 2022 | Sep 2022 | Oct 2022 | Nov 2022 |
---|---|---|---|---|---|---|---|
AMER Pacific Time - Virtual |
May 18 – May 20 |
Jun 29 – Jul 1 |
Jul 13 – Jul 15 Jul 27 – Jul 29 | ||||
AMER Eastern Time - Virtual |
May 18 – May 20 |
Jun 15 – Jun 17 Jun 22 – Jun 24 Jun 29 – Jul 1 |
Jul 13 – Jul 15 Jul 20 – Jul 22 Jul 27 – Jul 29 | ||||
EMEA UK Time - Virtual |
Jun 20 – Jun 22 |
Jul 4 – Jul 6 Jul 18 – Jul 20 | |||||
APAC Singapore - Virtual |
Jun 27 – Jun 29 |
Jul 25 – Jul 27 | |||||
APAC Sydney - Virtual |
Jun 27 – Jun 29 |

Summary
This 13.5 hour course prepares architects and systems administrators to install and configure Splunk Enterprise Security (ES). It covers ES event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, managing risk, and customizing threat intelligence.
Description
Course Topics
- Examine how ES functions including data models, correlation searches, notable events and dashboards
- Create custom correlation searches
- Customize the Investigation Workbench
- Learn how to install or upgrade ES
- Learn the steps to setting up inputs using technology add-ons
- Fine tune ES Global Settings
- Customize risk and configure threat intelligence
Objectives
Module 1 – Introduction to ES
- Review how ES functions
- Understand how ES uses data models
- Configure ES roles and permissions
Module 2 – Security Monitoring
- Customize the Security Posture and Incident Review dashboards
- Create ad hoc notable events
- Create notable event suppressions
Module 3 – Risk-Based Alerting
- Explain Risk-Based Alerting
- Explain risk scores
- Review the Risk Analysis dashboard
- Use annotations
Module 4 – Incident Investigation
- Review the Investigations dashboard
- Customize the Investigation Workbench
- Manage investigations
Module 5 – Installation
- Prepare a Splunk environment for installation
- Download and install ES on a search head
- Test a new install
- Post-install configuration tasks
Module 6 – Initial Configuration
- Set general configuration options
- Add external integrations
- Configure local domain information
- Customize navigation
- Configure Key Indicator searches
Module 7 – Validating ES Data
- Verify data is correctly configured for use in ES
- Validate normalization configurations
- Install additional add-ons
Module 8 – Custom Add-ons
- Design a new add-on for custom data
- Use the Add-on Builder to build a new add-on
Module 9 – Tuning Correlation Searches
- Configure correlation search scheduling and sensitivity
- Tune ES correlation searches
Module 10 – Creating Correlation Searches
- Create a custom correlation search
- Manage adaptive responses
- Export/Import content
Module 11 – Asset & Identity Management
- Review the Asset and Identity Management interface
- Describe Asset and Identity KV Store collections
- Configure and add asset and identity lookups to the interface
- Configure settings and fields for asset and identity lookups
- Explain the asset and identity merge process
- Describe the process for retrieving LDAP data for an asset or identity lookup
Module 12 – Manage Threat Intelligence
- Understand and configure threat intelligence
- Use the Threat Intelligence Management interface to configure a new threat list
Prerequisites
To be successful, students should have a solid understanding of the following:
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
- What Is Splunk?
- Intro to Splunk
- Using Fields
- Scheduling Reports and Alerts
- Visualizations
- Leveraging Lookups and Subsearches
- Search Under the Hood
- Introduction to Knowledge Objects
- Creating Knowledge Objects
- Creating Field Extractions
- Enriching Data with Lookups
- Data Models
- Introduction to Dashboards
- Dynamic Dashboards
- Splunk System Administration
- Splunk Data Administration