Administering Splunk Enterprise Security
The Administering Splunk Enterprise Security course prepares architects and systems administrators to install, configure and manage Splunk Enterprise Security.
The Administering Splunk Enterprise Security covers ES event processing and normalization, deployment requirements, technology add-ons, settings, risk analysis settings, threat intelligence and protocol intelligence configuration, and customizations.
Splunk Credit Value : 150
Duration : 13.5 hours over 3 days
Time : 9:00 am - 1:30 pm AEST
*Course discounts apply for Splunk Partners. Please use the currency convertor above to check for course pricing in your local currency.
Administering Splunk Enterprise Security - Course Topics
-
Monitoring and Investigation
-
Security Intelligence
-
Forensics, Glass Tables and Navigation Control
-
ES Deployment
-
Installation and Configuration
-
Validating ES Data
-
Custom Add-ons
-
Tuning Correlation Searches
-
Creating Correlation Searches
-
Lookups and Identity Management
-
Threat Intelligence Framework
Course Prerequisites
Or the following single-subject courses:
-
What Is Splunk?
-
Intro to Splunk
-
Using Fields
-
Scheduling Reports and Alerts
-
Visualizations
-
Leveraging Lookups and Subsearches
-
Search Under the Hood
-
Introduction to Knowledge Objects
-
Creating Knowledge Objects
-
Creating Field Extractions
-
Enriching Data with Lookups
-
Data Models
-
Introduction to Dashboards
-
Dynamic Dashboards
Splunk Enterprise Data Administration
Splunk Enterprise System Administration
Administering Splunk Enterprise Security - Audience
Anyone whose role includes deploying or configuring the Splunk App for Enterprise Security. Previous attendees have included IT Operations, Security Operations Centre (SOC) staff, Pre-Sales Consultants, Security Sales Engineers and Security Architects.
Class Format
Instructor-led lecture with labs. Delivered via virtual classroom or at your site
Related Certifications
Splunk Certified Enterprise Security Admin
Splunk Core Certified Consultant
After completing Administering Splunk Enterprise Security course you will be able to
-
Examine deployment topologies, requirements and checklist.
-
Generate configurations and test new installations.
-
Validate data against the Common Information Model.
-
Configure ES inputs and Technology Add-ons.
-
Describe and customize correlations searches.
-
Configure asset/identify lookups and new threat feeds.
-
Create your own add on for custom data sources.
-
Audit an ES installation for completeness.
Administering Splunk Enterprise Security - Course Objectives
Module 1 – ES Introduction
-
Overview of ES features and concepts
Module 2 – Monitoring and Investigation
-
Security Posture
-
Incident Review
-
Notable events management
Module 3 – Security Intelligence
-
Overview of security intel tools
Module 4 – Forensics, Glass Tables and Navigation Control
-
Explore forensics dashboards
-
Examine glass tables
-
Configure navigation and dashboard permissions
Module 5 – ES Deployment
-
Identify deployment topologies
-
Examine the deployment checklist
-
Understand indexing strategy for ES
-
Understand ES Data Models
Module 6 – Installation and Configuration
-
Prepare a Splunk environment for installation
-
Download and install ES on a search head
-
Test a new install
-
Understand ES Splunk user accounts and roles
-
Post-install configuration tasks
Module 7 – Validating ES Data
-
Plan ES inputs
-
Configure technology add-ons
Module 8 – Custom Add-ons
-
Design a new add-on for custom data
-
Use the Add-on Builder to build a new add-on
Module 9 – Tuning Correlation Searches
-
Configure correlation search scheduling and sensitivity
-
Tune ES correlation searches
Module 10 – Creating Correlation Searches
-
Create a custom correlation search
-
Configuring adaptive responses
-
Search export/import
Module 11 – Lookups and Identity Management
-
Identify ES-specific lookups
-
Understand and configure lookup lists
Module 12–Threat Intelligence Framework
-
Understand and configure threat intelligence
-
Configure user activity analysis
Splunk Course Schedules and Timezones
Ingeniq Course are delivered live and in English and provide access to customers spanning multiple timezones.
Dates and times displayed for each course are relative to Australian Eastern Time (AET).
AM Marked Splunk Courses
AM marked courses start at AET 9:00am and finish at AET 1:30pm and are optimal for customers in the following countries and areas;
-
UTC+10 including Australia (East Coast)
-
UCT+11/+12 including New Zealand and the Pacific Islands
-
UTC-8 including USA (West Coast), Canada (West Coast)
-
UTC-7 including USA (Mid West)
PM Marked Splunk Courses
PM marked courses usually starts at AEDT 12:00pm or AEST 11:00 am and are optimal for customers in the following countries and areas;
-
UTC+10 including Australia (East Coast)
-
UCT+11/+12 including New Zealand and the Pacific Islands
-
UTC-8 including USA (West Coast), Canada (West Coast)
-
UTC-7 including USA (Mid West)