Splunk Training Provider Authorised Learning Partner Australia

Using Splunk Enterprise Security

The Using Splunk Enterprise Security course prepares security practitioners to track security incidents, analyse security risks, use predictive analytics, and threat discovery.


The  Using Splunk Enterprise Security course covers the use of Enterprise Security’s dashboards, forms and workflow to identify, find root cause and resolve security issues.

Units : 3
Duration : 13.5 hours over 3 days

*Course discounts apply for Splunk Partners. Please use the currency convertor above to check for course pricing in your local currency.

Buy Splunk Using Enterprise Security Training Course Now
Using Splunk Enterprise Security

The instructor spoke with clarity, not rushed. Top class, enjoyed.

Participant, Using Splunk Enterprise Security

Using Splunk Enterprise Security
Using Splunk Enterprise Security - Course Topics
  • ES concepts, features, and capabilities

  • Assets and identities

  • Security monitoring and Incident investigation

  • Use risk-based alerting and risk analysis

  • Use investigation workbench, timelines, list and summary tools

  • Detecting known types of threats

  • Monitoring for new types of threats

  • Using analytical tools

  • Analyse user behavior for insider threats

  • Use threat intelligence tools

  • Use protocol intelligence and live stream data

Course Prerequisites

Splunk Fundamentals 1

Splunk Fundamentals 2

or the following single-subject courses:

  • What is Splunk?

  • Intro to Splunk

  • Using Fields

  • Scheduling Reports and Alerts

  • Visualizations

  • Leveraging Lookups and Sub-searches

  • Search Under the Hood

  • Introduction to Knowledge Objects

  • Enriching Data with Lookups

  • Data Models

  • Introduction to Dashboards

Using Splunk Enterprise Security - Audience

Anyone whose role includes using the Splunk App for Enterprise Security. Previous attendees have included Pre-Sales Consultants, Security Sales Engineers, IT Security and Risk Analysts, Security Operations Centre (SOC) staff

Class Format

Instructor-led lecture with labs. Delivered via virtual classroom or at your site

After completing Using Splunk Enterprise Security course you will be able to
  • Detect, identify, and investigate security related threats.

  • Take ownership of incidents, and move through the investigation workflow.

  • Use asset and identity investigator swim lanes to analyse security related events.

  • Use advanced Threat network analysis reports to analyse your network environment.

  • Detect suspicious user activity and access patterns.

  • Understand the threat intelligence framework and use it to identify internal and external threats.

  • Use ES protocol intelligence to analyse captured stream data.

Using Splunk Enterprise Security
Using Splunk Enterprise Security - Course Objectives

Module 1 – Getting Started with ES

  • Describe the features and capabilities of Splunk Enterprise Security (ES)

  • Explain how ES helps security practioners prevent, detect, and respond to threats

  • Describe correlation searches, data models and notable events

  • Describe user roles in ES

  • Log into Splunk Web and access Splunk for Enterprise Security

Module 2 – Security Monitoring and Incident Investigation

  • Use the Security Posture dashboard to monitor enterprise security status

  • Use the Incident Review dashboard to investigate notable events

  • Take ownership of an incident and move it through the investigation workflow

  • Use adaptive response actions during incident investigation

  • Create notable events

  • Suppress notable events

Module 3 – Risk-based Alerting

  • Give an overview of Risk-Based Alerting

  • View Risk Notables and risk information on the Incident Review dashboard

  • Explain risk scores and how to change an object's risk score 

  • Review the Risk Analysis dashboard

  • Describe annotations

  • Describe the process for retrieving LDAP data for an asset or indentify lookup

Module 4 – Investigations

  • Use investigations to manage incident response activity

  • Use the investigation Workbench to manage, visualize and coordinate incident investigations

  • Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)

  • Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts

Module 5 – Using Security Domain Dashboard

  • Use ES to inspect events containing information relevant to active or past incident investigation

  • Identify security domains in ES

  • Use ES security domain dashboards

  • Launch security domain dashboards from incident Review and from action menus in search results

Module 6 – Web Intelligence

  • Use the web intelligence dashboards to analyze your network environment

  • Filter ad highlight events

Module 7 – User Intelligence

  • Evaluate the level of insider threat with the user activity and access anomaly dashboards

  • Understand asset and identity concepts

  • Use the Asset and identify Investigator to analyze events 

  • Use the session center for identity resolution

  • Discuss Splunk User Behavior Analytics (UBA) integration 

Module 8 – Threat Intelligence

  • Give an overview of the Threat Intelligence framework abd how threat intel is configured in ES

  • Use the Threat Activity dashboard to see which threat sources are interacting with your environment

  • Use the Threat Artifacts dashboard to examine the status of threat intelligence information in your environment

Module 9 – Protocol Intelligence

  • Explain how network data is input into Splunk events

  • Describe Stream events 

  • Give an overview of the Protocol intelligence dashboards and how they can be used to analyse network data

Splunk Course Schedules and Timezones

Ingeniq Course are delivered live and in English and provide access to customers spanning multiple timezones.

Dates and times displayed for each course are relative to Australian Eastern Time (AET).

AM Marked Splunk Courses

AM marked courses start at AET 9:00am and finish at AET 1:30pm and are optimal for customers in the following countries and areas;

  • UTC+10 including Australia (East Coast)

  • UCT+11/+12 including New Zealand and the Pacific Islands

  • UTC-8 including USA (West Coast), Canada (West Coast)

  • UTC-7 including USA (Mid West)

PM Marked Splunk Courses

PM marked courses usually starts at AEDT 12:00pm or AEST 11:00 am and are optimal for customers in the following countries and areas;

  • UTC+10 including Australia (East Coast)

  • UCT+11/+12 including New Zealand and the Pacific Islands

  • UTC-8 including USA (West Coast), Canada (West Coast)

  • UTC-7 including USA (Mid West)

Using Splunk Enterprise Security - Upcoming Courses