Using Splunk Enterprise Security 6.1

Using Splunk Enterprise Security 6.1

Upcoming Classes

No classes have been scheduled.


This 13.5-hour course prepares security practitioners to use Splunk Enterprise Security (ES). Students identify and track incidents, analyze security risks, use predictive analytics, and discover threats.


  • ES concepts
  • Security monitoring and Incident investigation
  • Assets and identities
  • Detecting known types of threats
  • Monitoring for new types of threats
  • Using analytical tools
  • Analyze user behavior for insider threats
  • Use risk analysis and threat intelligence tools
  • Use protocol intelligence and live stream data
  • Use investigation workbench, timelines, list and summary tools
  • Build glass tables to display security status


3 Days


Module 1 - Getting Started with ES

  • Provide an overview of Splunk for Enterprise Security (ES)
  • Identify the differences between traditional security threats and new adaptive threats
  • Describe correlation searches, data models and notable events
  • Describe user roles in ES
  • Access ES

Module 2 - Security Monitoring and Incident Investigation

  • Monitor enterprise security status with Security Posture
  • Investigate notable events with Incident Review dashboard
  • Take ownership of an incident and move it through the investigation workflow
  • Use adaptive response actions during incident investigation
  • Create notable events
  • Suppress notable events

Module 3 – Investigations

  • Use investigations to manage incident response activity
  • Use ES investigation workbench to manage, visualize and coordinate incident investigations
  • Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)
  • Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts

Module 4 – Forensic Investigation with ES

  • Investigate access domain events;
  • Investigate endpoint domain events
  • Investigate network domain events
  • Investigate identity domain events

Module 5 – Risk Analysis

  • Understand and use Risk Analysis
  • Use advance threat dashboards to analyze your environment
  • User dashboards to examine a firewall attack, user risk and asset risk
  • Filter and highlight events
  • Create watchlists
  • Manage risk scores for objects or users

Module 6 – Web Intelligence

  • Use HTTP Category Analysis, HTTP User Agent Analysis, New Domain Analysis, and Traffic Size Analysis to spot new threats
  • Customize web intelligence dashboards

Module 7 – User Intelligence

  • Evaluate the level of insider threat with the user activity and access anomaly dashboards
  • Understand asset and identity concepts
  • Use the Asset Investigator to analyze events
  • Use the Identity Investigator to analyze events
  • Use the session center for identity resolution (UBA integration)

Module 8 – Threat Intelligence

  • Use the Threat Activity dashboard to analyze traffic to or from known malicious sites
  • Inspect the status of your threat intelligence content with the threat artifact dashboard

Module 9 - Protocol Intelligence

  • Explore protocol intelligence
  • Describe Stream events data is input into Splunk events
  • Use ES predictive analytics to make forecasts and view trends

Module 10 – Glass Tables

  • Build glass tables to display security status information
  • Use key indicators and ad hoc searches
  • Add glass table drilldown options
  • Create new key indicators for metrics on glass tables


  • Splunk Fundamentals 1
  • Splunk Fundamentals 2

Onsite Training

For groups of three or more

Request Quote

Public Training