Using Splunk Enterprise Security 6.4

Using Splunk Enterprise Security 6.4

Upcoming Classes

No classes have been scheduled.


This 13.5-hour course prepares security practitioners to use Splunk Enterprise Security (ES). Students identify and track incidents, analyze security risks, use predictive analytics, and discover threats.


  • ES concepts
  • Assets and identities
  • Security monitoring and Incident investigation
  • Detecting known types of threats
  • Monitoring for new types of threats
  • Using analytical tools
  • Analyze user behavior for insider threats
  • Use risk analysis and threat intelligence tools
  • Use protocol intelligence and live stream data


3 Days


Module 1 - Getting Started with ES

  • Describe the features and capabilities of Splunk Enterprise Security (ES)
  • Explain how ES helps security practitioners prevent, detect, and respond to threats
  • Describe correlation searches, data models and notable events
  • Describe user roles in ES
  • Log into Splunk Web and access Splunk for Enterprise Security

Module 2 - Security Monitoring and Incident Investigation

  • Use the Security Posture dashboard to monitor ES status
  • Use the Incident Review dashboard to investigate notable events
  • Take ownership of an incident and move it through the investigation workflow
  • Create notable events
  • Suppress notable events

Module 3 – Investigations

  • Use investigations to manage incident response activity
  • Use the investigation workbench to manage, visualize and coordinate incident investigations
  • Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)
  • Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts

Module 4 – Using Security Domain Dashboards

  • Use ES to inspect events containing information relevant to active or past incident investigation
  • Identify security domains in ES
  • Use ES security domain dashboards
  • Launch security domain dashboards from Incident Review and from action menus in search results

Module 5 – Risk Analysis

  • Understand risk analysis concepts
  • Describe risk annotations
  • Use the Risk Analysis dashboard to monitor risk related activity
  • Manage risk scores for objects or users

Module 6 – Web Intelligence

  • Use the web intelligence dashboards to analyze your network environment
  • Filter and highlight events

Module 7 – User Intelligence

  • Evaluate the level of insider threat with the user activity and access anomaly dashboards
  • Understand asset and identity concepts
  • Use the Asset and Identity Investigators to analyze events
  • Use the session center for identity resolution
  • Discuss Splunk User Behavior Analytics (UBA) integration

Module 8 – Threat Intelligence

  • Give an overview of the Threat Intelligence framework and how threat intel is configured in ES
  • Use the Threat Activity dashboard to see which threat sources are interacting with your environment
  • Use the Threat Artifacts dashboard to examine the status of threat intelligence information in your environment

Module 9 - Protocol Intelligence

  • Explain how network data is input into Spunk events
  • Describe Stream events
  • Give an overview of the Protocol Intelligence dashboards and how they can be used to analyze network data


  • Splunk Fundamentals 1
  • Splunk Fundamentals 2

Public Training