Résumé du cours
IMPORTANT: The Splunk Enterprise Security Admin Fast Start is suitable for learners with Splunk On-Prem installations.
This Fast Start series is a bundle of 2 key modules with 28 hours of content provided over four days. This Fast Start prepares you to earn the Splunk Enterprise Security Certified Admin certification.
This is a bundle of 2 key Courses:
Moyens d'évaluation :
- Quiz pré-formation de vérification des connaissances (si applicable)
- Évaluations formatives pendant la formation, à travers les travaux pratiques réalisés sur les labs à l’issue de chaque module, QCM, mises en situation…
- Complétion par chaque participant d’un questionnaire et/ou questionnaire de positionnement en amont et à l’issue de la formation pour validation de l’acquisition des compétences
A qui s'adresse cette formation
- This course is designed for security practitioners who want to use Splunk Enterprise Security (ES)
- The course is designed for architects and systems administrators who want to install and configure Splunk Enterprise Security (ES)
Certifications
Cette formation prépare à la/aux certifications:
Pré-requis
To be successful, students should have a solid understanding of the following courses:
or
- Intro to Splunk
- Using Fields
- Visualizations
- Search Under the Hood
- Introduction to Knowledge Objects
- Introduction to Dashboards
- Creating Knowledge Objects
- Creating Field Extractions
- Enriching Data with Lookups
- Data Models
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
Objectifs
This course in the bundle of Using Splunk Enterprise Security (USES) and Administering Splunk Enterprise Security (ASES). At the end of this fast track, you should be able to:
- Understand ES concepts, features, and capabilities
- Monitor security and investigate incidents
- Utilize risk-based alerting and conduct risk analysis
- Overview assets and identities
- Create investigations and utilize the Investigation Workbench
- Detect known types of threats
- Monitor for new types of threats
- Use analytical tools and dashboards
- Analyze user behavior for insider threats
- Employ threat intelligence tools
- Leverage protocol intelligence
- Provide an overview of Splunk Enterprise Security (ES)
- Customize ES dashboards
- Examine the ES Risk framework and Risk-based Alerting (RBA)
- Customize the Investigation Workbench
- Understand initial ES installation and configuration
- Manage data intake and normalization for ES
- Create and tune correlation searches
- Configure ES lookups
- Configure Assets & Identities and Threat Intelligence
Contenu
Module 1 - Getting Started with ES
- Describe the features and capabilities of Splunk Enterprise Security (ES)
- Explain how ES helps security practitioners prevent, detect, and respond to threats
- Describe correlation searches, data models and notable events
- Describe user roles in ES
- Log into Splunk Web and access Splunk for Enterprise Security
Module 2 - Security Monitoring and Incident Investigation
- Use the Security Posture dashboard to monitor ES status
- Use the Incident Review dashboard to investigate notable events
- Take ownership of an incident and move it through the investigation workflow
- Create notable events
- Suppress notable events
Module 3 – Risk-Based Alerting
- Give an overview of Risk-Based Alerting
- View Risk Notables and risk information on the Incident Review dashboard
- Explain risk scores and how to change an object's risk score
- Review the Risk Analysis dashboard
- Describe annotations
- Describe the process for retrieving LDAP data for an asset or identity lookup
Module 4 – Assets & Identities
- Give an overview of the ES Assets and Identities framework
- Show examples where asset or identity data is missing from ES dashboards or notable events
- View the Asset & Identity Management Interface
- View the contents of an asset or identity lookup table
Module 5 – Investigations
- Use investigations to manage incident response activity
- Use the investigation workbench to manage, visualize and coordinate incident investigations
- Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)
- Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts
Module 6 – Security Domain Dashboards
- Describe the ES security domains
- Use the Security Domain dashboards to troubleshoot various security threats
- Learn how to launch the Security Domain dashboards from Incidents Review and from a notable event Action menu
Module 7 – User Intelligence
- Understand and use user activity analysis
- Use investigators to analyze events related to an asset or identity
- Use access anomalies to detect suspicious access patterns
Module 8 – Web Intelligence
- Use the web intelligence dashboards to analyze your network environment
- Filter and highlight events
Module 9 – Threat Intelligence
- Give an overview of the Threat Intelligence framework and how threat intel is configured in ES
- Use the Threat Activity dashboard to see which threat sources are interacting with your environment
- Use the Threat Artifacts dashboard to examine the status of threat intelligence information in your environment
Module 10 – Protocol Intelligence
- Explain how network data is input into Splunk events
- Describe stream events
- Give an overview of the Protocol Intelligence dashboards and how they can be used to analyze network data
Module 11 – Introduction to ES
- Review how ES functions
- Understand how ES uses data models
- Describe correlation searches, adaptive response actions, and notable events
- Configure ES roles and permissions
Module 12 – Security Monitoring
- Customize the Security Posture and Incident Review dashboards
- Create ad hoc notable events
- Create notable event suppressions
Module 13 – Risk-Based Alerting
- Give an overview of Risk-Based Alerting (RBA)
- Explain risk scores and how they can be changed
- Review the Risk Analysis dashboard
- Describe annotations
- View Risk Notables and risk information
Module 14 – Incident Investigation
- Review the Investigations dashboard
- Customize the Investigation Workbench
- Manage investigations
Module 15 – Installation
- Give an overview of general ES install requirements
- Explain the different add-ons and where they are installed
- Provide ES pre-installation requirements
- Identify steps for downloading and installing ES
Module 16 – General Configuration
- Set general configuration options
- Configure local and cloud domain information
- Work with the Incident Review KV Store
- Customize navigation
- Configure Key Indicator searches
Module 17 – Validating ES Data
- Verify data is correctly configured for use in ES
- Validate normalization configurations
- Install additional add-ons
Module 18 – Custom Add-ons
- Ingest custom data in ES
- Create an add-on for a custom sourcetype
- Describe add-on troubleshooting
Module 19 – Tuning Correlation Searches
- Describe correlation search operation
- Customize correlation searches
- Describe numeric vs. conceptual thresholds
Module 20 – Creating Correlation Searches
- Create a custom correlation search
- Manage adaptive responses
- Export/import content
Module 21 – Asset & Identity Management
- Review the Asset and Identity Management interface
- Describe Asset and Identity KV Store collections
- Configure and add asset and identity lookups to the interface
- Configure settings and fields for asset and identity lookups
- Explain the asset and identity merge process
- Describe the process for retrieving LDAP data for an asset or identity lookup
Module 22 – Managing Threat Intelligence
- Understand and configure threat intelligence
- Use the Threat Intelligence Management interface
- Configure new threat lists
Module 23 – Supplemental Apps
- Review apps to enhance the capabilities of ES including, Mission
- Control, SOAR, UBA, Cloud-based Streaming Analytics, PCI
- Compliance, Fraud Analytics, and Lookup File Editor
Français
Moyens Pédagogiques :