Course Overview
It covers ES event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, managing risk, and customizing threat intelligence.
Course Objectives
- Examine how ES functions including data models, correlation searches, notable events, and dashboards
- Review risk-based alerting
- Customize the Investigation Workbench
- Learn how to install or upgrade ES
- Fine tune ES Global Settings
- Learn the steps to setting up inputs using technology add-ons
- Create custom correlation searches
- Customize assets and identities
- Configure threat intelligence
Who Should Attend?
This course prepares architects and systems administrators to install and configure Splunk Enterprise Security (ES).
- Top-rated instructors: Our crew of subject matter experts have an average instructor rating of 4.8 out of 5 across thousands of reviews.
- Authorized content: We maintain more than 35 Authorized Training Partnerships with the top players in tech, ensuring your course materials contain the most relevant and up-to date information.
- Interactive classroom participation: Our virtual training includes live lectures, demonstrations and virtual labs that allow you to participate in discussions with your instructor and fellow classmates to get real-time feedback.
- Post Class Resources: Review your class content, catch up on any material you may have missed or perfect your new skills with access to resources after your course is complete.
- Private Group Training: Let our world-class instructors deliver exclusive training courses just for your employees. Our private group training is designed to promote your team’s shared growth and skill development.
- Tailored Training Solutions: Our subject matter experts can customize the class to specifically address the unique goals of your team.
Agenda
1 - Introduction to ES
- Review how ES functions
- Understand how ES uses data models
- Configure ES roles and permissions
2 - Security Monitoring
- Customize the Security Posture and Incident Review dashboards
- Create ad hoc notable events
- Create notable event suppressions
3 - Risk-Based Alerting
- Give an overview of risk-based alerting
- View Risk Notables and risk information on the Incident Review dashboard
- Explain risk scores and how an ES admin can change an object's risk score
- Review the Risk Analysis dashboard
- Describe annotations
4 - Incident Investigation
- Review the Investigations dashboard
- Customize the Investigation Workbench
- Manage investigations
5 - Installation
- Prepare a Splunk environment for installation
- Download and install ES on a search head
- Test a new install
- Post-install configuration tasks
6 - Initial Configuration
- Set general configuration options
- Add external integrations
- Configure local domain information
- Customize navigation
- Configure Key Indicator searches
7 - Validating ES Data
- Verify data is correctly configured for use in ES
- Validate normalization configurations
- Install additional add-ons
8 - Custom Add-ons
- Design a new add-on for custom data
- Use the Add-on Builder to build a new add-on
9 - Tuning Correlation Searches
- Configure correlation search scheduling and sensitivity
- Tune ES correlation searches
10 - Creating Correlation Searches
- Create a custom correlation search
- Manage adaptive responses
- Export/import content
11 - Asset & Identity Management
- Review the Asset and Identity Management interface
- Describe Asset and Identity KV Store collections
- Configure and add asset and identity lookups to the interface
- Configure settings and fields for asset and identity lookups
- Explain the asset and identity merge process
- Describe the process for retrieving LDAP data for an asset or identity lookup
12 - Threat Intelligence Framework
- Understand and configure threat intelligence
- Use the Threat Intelligence Management interface to configure a new threat list