Splunk Training Authorised Partner Ingeniq

Using Splunk Enterprise Security

The Using Splunk Enterprise Security course prepares security practitioners to track security incidents, analyse security risks, use predictive analytics, and threat discovery.


The  Using Splunk Enterprise Security course covers the use of Enterprise Security’s dashboards, forms and workflow to identify, find root cause and resolve security issues.

Units : 3
Duration : 13.5 hours over 3 days
Time : 9:00 am – 1:30 pm AEST (GMT +10)

*Course discounts apply for Splunk Partners. Please use the currency convertor above to check for course pricing in your local currency.

Using Splunk Enterprise Security

The instructor was very responsive to questions and queries both private and Communal.. Final module collaborative lab walkthrough on screen was particularly helpful.

Participant, Splunk Fundamentals 2

Using Splunk Enterprise Security
Using Splunk Enterprise Security - Course Topics
  • ES concepts

  • Security monitoring and Incident investigation

  • Assets and identities

  • Detecting known types of threats

  • Monitoring for new types of threats

  • Using analytical tools

  • Analyze user behavior for insider threats

  • Use risk analysis and threat intelligence tools

  • Use protocol intelligence and live stream data

  • Use investigation timelines and journal tools

  • Build glass tables to display security status

Class Format

Instructor-led lecture with labs. Delivered via virtual classroom or at your site

Course Prerequisites
Related Certifications
Using Splunk Enterprise Security - Audience

Anyone whose role includes using the Splunk App for Enterprise Security. Previous attendees have included Pre-Sales Consultants, Security Sales Engineers, IT Security and Risk Analysts, Security Operations Centre (SOC) staff

After completing Using Splunk Enterprise Security course you will be able to
  • Detect, identify, and investigate security related threats.

  • Take ownership of incidents, and move through the investigation workflow.

  • Use asset and identity investigator swim lanes to analyse security related events.

  • Use advanced Threat network analysis reports to analyse your network environment.

  • Detect suspicious user activity and access patterns.

  • Understand the threat intelligence framework and use it to identify internal and external threats.

  • Use ES protocol intelligence to analyse captured stream data.

Using Splunk Enterprise Security
Using Splunk Enterprise Security - Course Objectives

Module 1 – Getting Started with ES

  • Provide an overview of the Splunk App for Enterprise Security (ES)

  • Identify the differences between traditional security threats and new adaptive threats

  • Describe correlation searches, data models and notable events

  • Describe user roles in ES

  • Log on to ES

Module 2 – Security Monitoring and Incident Investigation

  • Use the Security Posture dashboard to monitor enterprise security status

  • Use the Incident Review dashboard to investigate notable events

  • Take ownership of an incident and move it through the investigation workflow

  • Use adaptive response actions during incident investigation

  • Create notable events

  • Suppress notable events

Module 3 – Investigation Timelines

  • Using ES investigation timelines to manage, visualise and coordinate incident investigations

  • Use timelines and journals to document breach analysis and mitigation efforts

Module 4 – Forensic Investigation with ES

  • Investigate access domain events

  • Investigate endpoint domain events

  • Investigate network domain events

  • Investigate identity domain events

Module 5 – Risk and Network Analysis

  • Understand and use Risk analysis

  • Use of Risk analysis Dashboard

  • Assign risk scores

Module 6 – Web Intelligence

  • Use HTTP Category Analysis, HTTP User Agent Analysis, New Domain Analysis and Traffic Size Analysis to spot new threats

  • Filter and highlight events

Module 7 – User Intelligence

  • Evaluate the level of insider threat with the user activity and access anomaly dashboards

  • Understand asset and identity concepts

  • Use the Identity investigator to analyse events related to an identity

  • Examine asset and identity lookup tables

Module 8 – Threat Intelligence

  • Use the Threat Activity dashboard to analyse traffic to or from known malicious sites

  • Inspect the status of your threat intelligence content with the threat artifact dashboard

Module 9 – Protocol Intelligence

  • Use ES predictive analytics to make forecasts and view trends

Module 10 – Glass Tables

  • Build glass tables to display security status information

  • Create new key indicators for metrics on glass

Course Schedules and Timezones

Ingeniq Course are delivered live and in English and provide access to customers spanning multiple timezones.

Dates and times displayed for each course are relative to Australian Eastern Time (AET).

AM Marked Courses

AM marked courses start at AET 9:00am and finish at AET 1:30pm (4.5 hour sessions over 1 or more days) and are optimal for customers in the following countries and areas;

  • UTC+10 including Australia (East Coast)

  • UCT+11/+12 including New Zealand and the Pacific Islands

  • UTC-8 including USA (West Coast), Canada (West Coast)

  • UTC-7 including USA (Mid West)

PM Marked Courses

PM marked courses start at AET  2:00pm and finish at AET 6:30pm (4.5 hour sessions over 1 or more days) and are optimal for customers in the following countries and areas;

  • UTC+9 including Japan, Korea

  • UTC+8 including Australia (West Coast), Singapore, Hong Kong, China, Philippines, Brunei, Thailand

  • UTC +5/+6 including India and Sri Lanka

Using Splunk Enterprise Security - Upcoming Courses