• ES concepts
• Security monitoring and Incident investigation
• Assets and identities
• Detecting known types of threats
• Monitoring for new types of threats
• Using analytical tools
• Analyze user behavior for insider threats
• Use risk analysis and threat intelligence tools
• Use protocol intelligence and live stream data
• Use investigation timelines and journal tools
• Build glass tables to display security status

• Detect, identify, and investigate security related threats.
• Take ownership of incidents, and move through the investigation workflow.
• Use asset and identity investigator swim lanes to analyse security related events.
• Use advanced Threat network analysis reports to analyse your network environment.
• Detect suspicious user activity and access patterns.
• Understand the threat intelligence framework and use it to identify internal and external threats.
• Use ES protocol intelligence to analyse captured stream data.

Instructor-led lecture with labs. Delivered via virtual classroom or at your site.

• Splunk Fundamentals 1
• Splunk Fundamentals 2

Module 1 – Getting Started with ES

• Provide an overview of the Splunk App for Enterprise Security (ES)
• Identify the differences between traditional security threats and new adaptive threats
• Describe correlation searches, data models and notable events
• Describe user roles in ES
• Log on to ES

Module 2 – Security Monitoring and Incident Investigation

• Use the Security Posture dashboard to monitor enterprise security status
• Use the Incident Review dashboard to investigate notable events
• Take ownership of an incident and move it through the investigation workflow
• Use adaptive response actions during incident investigation
• Create notable events
• Suppress notable events

Module 3 – Investigation Timelines

• Using ES investigation timelines to manage, visualise and coordinate incident investigations
• Use timelines and journals to document breach analysis and mitigation efforts

Module 4 – Forensic Investigation with ES

• Investigate access domain events
• Investigate endpoint domain events
• Investigate network domain events
• Investigate identity domain events

Module 5 – Risk and Network Analysis

• Understand and use Risk analysis
• Use of Risk analysis Dashboard
• Assign risk scores

Module 6 – Web Intelligence

• Use HTTP Category Analysis, HTTP User Agent Analysis, New Domain Analysis and Traffic Size Analysis to spot new threats
• Filter and highlight events

Module 7 – User Intelligence

• Evaluate the level of insider threat with the user activity and access anomaly dashboards
• Understand asset and identity concepts
• Use the Identity investigator to analyse events related to an identity
• Examine asset and identity lookup tables

Module 8 – Threat Intelligence

• Use the Threat Activity dashboard to analyse traffic to or from known malicious sites
• Inspect the status of your threat intelligence content with the threat artifact dashboard

Module 9 – Protocol Intelligence

• Use ES predictive analytics to make forecasts and view trends

Module 10 – Glass Tables

• Build glass tables to display security status information
• Create new key indicators for metrics on glass

Anyone whose role includes using the Splunk App for Enterprise Security. Previous attendees have included Pre-Sales Consultants, Security Sales Engineers, IT Security and Risk Analysts, Security Operations Centre (SOC) staff