Administering Splunk Enterprise Security

Course Duration

2 Days

Audience

Employees of federal, state and local governments; and businesses working with the government.

Prerequisites

Completion of Splunk Enterprise Administration (SP-ADM-FT or SP-SESA + SP-SEDA). Familiarity with Splunk Enterprise Security usage is recommended.

Course Description

This 13.5-hour course enables SOC engineers to configure and administer Splunk Enterprise Security for detection engineering and SIEM management. Students learn to configure ES data inputs, create and tune correlation searches, manage threat intelligence sources, configure risk-based alerting, and maintain ES health and performance.

Learning Objectives

• Configure data inputs and data models required by Splunk Enterprise Security
• Create, tune, and manage correlation searches for threat detection
• Configure and manage threat intelligence sources and lookups
• Implement and tune risk-based alerting rules
• Manage notable event configuration and suppression
• Configure glass tables and executive security dashboards
• Monitor and maintain Splunk Enterprise Security health
• Implement ES best practices for SOC operations

Course Outline

ES Architecture and Configuration

• ES architecture overview
• Data models and CIM compliance
• Configuring ES data inputs

Correlation Search Management

• Correlation search framework
• Creating and editing correlation searches
• Tuning false positives and suppression

Threat Intelligence Management

• Threat intelligence framework
• Configuring threat intelligence sources
• Managing IOC lookups

Risk-Based Alerting Administration

• Risk factor configuration
• Risk scoring and aggregation
• Tuning risk-based alerting rules

ES Maintenance

• Monitoring ES health
• Performance tuning
• Notable event management

Frequently Asked Questions