Using ES (UES) – Outline

Detailed Course Outline

Module 1 - Getting Started with ES

  • Provide an overview of Splunk for Enterprise Security (ES)
  • Identify the differences between traditional security threats and new adaptive threats
  • Describe correlation searches, data models and notable events
  • Describe user roles in ES
  • Log on to ES

Module 2 - Security Monitoring and Incident Investigation

  • Use the Security Posture dashboard to monitor enterprise security status
  • Use the Incident Review dashboard to investigate notable events
  • Take ownership of an incident and move it through the investigation workflow
  • Use adaptive response actions during incident investigation
  • Create notable events
  • Suppress notable events

Module 3 – Investigations

  • Use ES investigation timelines to manage, visualize and coordinate incident investigations
  • Use timelines and journals to document breach analysis and mitigation efforts

Module 4 – Forensic Investigation with ES

  • Investigate access domain events
  • Investigate endpoint domain events
  • Investigate network domain events
  • Investigate identity domain events

Module 5 – Risk and Network Analysis

  • Understand and use Risk Analysis
  • Use the Risk Analysis dashboard
  • Manage risk scores for objects or users

Module 6 – Web Intelligence

  • Use HTTP Category Analysis, HTTP User Agent Analysis, New Domain Analysis, and Traffic Size Analysis to spot new threats
  • Filter and highlight events

Module 7 – User Intelligence

  • Evaluate the level of insider threat with the user activity and access anomaly dashboards
  • Understand asset and identity concepts
  • Use the Asset Investigator to analyze events
  • Use the Identity Investigator to analyze events
  • Use the session center for identity resolution (UBA integration)

Module 8 – Threat Intelligence

  • Use the Threat Activity dashboard to analyze traffic to or from known malicious sites
  • Inspect the status of your threat intelligence content with the threat artifact dashboard

Module 9 - Protocol Intelligence

  • Describe Stream events data is input into Splunk events
  • Use ES predictive analytics to make forecasts and view trends

Module 10 – Glass Tables

  • Build glass tables to display security status information
  • Add glass table drilldown options
  • Create new key indicators for metrics on glass tables