Administering/Developing Splunk ES

Administering Splunk ES

Objective of the Course:

This course prepares you to configure Splunk ES to meet your unique requirements. It includes learning how to manage Splunk servers, set up alerts and plan server capacity.

Modules Include:

Module 1 – ES Introduction  

  • Overview of ES features and concepts 

Module 2 – Monitoring and Investigation 

  • Security Posture 
  • Incident Review 
  • Notable events management 

Module 3 – Security Intelligence  

  • Overview of security intel tools 

Module 4 – Forensics, Glass Tables and Navigation Control  

  • Explore forensics dashboards 
  • Examine glass tables 
  • Configure navigation and dashboard permissions 

Module 5 – ES Deployment 

  • Identify deployment topologies 
  • Examine the deployment checklist 
  • Understand indexing strategy for ES 
  • Understand ES Data Models 

Module 6 – Installation and Configuration 

  • Prepare a Splunk environment for installation 
  • Download and install ES on a search head 
  • Test a new install 
  • Understand ES Splunk user accounts and roles 
  • Post-install configuration tasks 

Module 7 – Validating ES Data 

  • Plan ES inputs 
  • Configure technology add-ons 

Module 8 – Custom Add-ons 

  • Design a new add-on for custom data 
  • Use the Add-on Builder to build a new add-on 

Module 9 – Tuning Correlation Searches  

  • Configure correlation search scheduling and sensitivity 
  • Tune ES correlation searches 

Module 10 – Creating Correlation Searches 

  • Create a custom correlation search 
  • Configuring adaptive responses 
  • Search export/import 

Module 11 – Lookups and Identity Management  

  • Identify ES-specific lookups 
  • Understand and configure lookup lists 

Module 12 – Threat Intelligence Framework  

  • Understand and configure threat intelligence 
  • Configure user activity analysis 

Click here to learn more about our training and courses!

Developing Splunk ES

Objective of the Course:

This course focuses on the Splunk Web Framework and includes creating dashboard, search forms, dynamic drilldowns, and cascading inputs. Several modules help you attain competency in Splunk ES.

Modules Include:

Module 1 – Getting Started with ES 

  • Provide an overview of Splunk for Enterprise Security (ES) 
  • Identify the differences between traditional security threats and new adaptive threats 
  • Describe correlation searches, data models and notable events 
  • Describe user roles in ES 
  • Log on to ES 

Module 2 – Security Monitoring and Incident Investigation 

  • Use the Security Posture dashboard to monitor enterprise security status 
  • Use the Incident Review dashboard to investigate notable events 
  • Take ownership of an incident and move it through the investigation workflow 
  • Use adaptive response actions during incident investigation 
  • Create notable events 
  • Suppress notable events 

Module 3 – Investigations 

  • Use ES investigation timelines to manage, visualize and coordinate incident investigations 
  • Use timelines and journals to document breach analysis and mitigation efforts 

Module 4 – Forensic Investigation with ES 

  • Investigate access domain events  
  • Investigate endpoint domain events 
  • Investigate network domain events 
  • Investigate identity domain events 

Module 5 – Risk and Network Analysis 

  • Understand and use Risk Analysis 
  • Use the Risk Analysis dashboard 
  • Manage risk scores for objects or users 

Module 6 – Web Intelligence 

  • Use HTTP Category Analysis, HTTP User Agent Analysis, New Domain Analysis, and Traffic Size Analysis to spot new threats 
  • Filter and highlight events 

Module 7 – User Intelligence 

  • Evaluate the level of insider threat with the user activity and access anomaly dashboards 
  • Understand asset and identity concepts 
  • Use the Asset Investigator to analyze events  
  • Use the Identity Investigator to analyze events  
  • Use the session center for identity resolution (UBA integration) 

Module 8 – Threat Intelligence 

  • Use the Threat Activity dashboard to analyze traffic to or from known malicious sites 
  • Inspect the status of your threat intelligence content with the threat artifact dashboard 

Module 9 – Protocol Intelligence 

  • Describe Stream events data is input into Splunk events 
  • Use ES predictive analytics to make forecasts and view trends 

Module 10 – Glass Tables 

  • Build glass tables to display security status information 
  • Add glass table drilldown options 
  • Create new key indicators for metrics on glass tables

Learn more about our training program.

Get in touch today!

Back To Top