Using Splunk Enterprise Security (USES)

Ziele der Schulung

This 13.5-hour instructor-led course prepares SOC Analysts to use Splunk Enterprise Security (ES).Students identify and track incidents, analyze security risks, use predictive analytics, and discover threats.

Please note that this course may run over three days, with 4.5 hour sessions each day.

Module 1 - ES Fundamentals

• Explain the function of a SIEM
• Give an overview of Splunk Enterprise Security (ES)
• Understand how ES uses data models
• Describe detections and findings
• Identify ES roles and permissions
• Give an overview of ES navigation

Module 2 - Exploring the Analyst Queue

• Explore the Analyst Queue
• Filtering
• Triage Findings and Finding Groups
• Create ad hoc Findings
• Suppress Findings from the Analyst Queue

Module 3 - Working with Investigations

• Give an overview of an investigation
• Demonstrate how to create an investigation
• Use Response Plans
• Add Splunk events to an investigation
• Use Playbooks and Actions

Module 4 - Risk-based Alerting

• Give an overview of risk and Risk-Based Alerting (RBA)
• Explain risk scores and how to change an entity's risk score
• Review the Risk Analysis dashboard
• Describe annotations
• View risk information in Analyst Queue findings

Module 5 - Assets & Identities

• Give an overview of the ES Assets and Identities (A&I) framework
• Show where asset or identity data is missing from ES findings or dashboards
• View the A&I Management Interface
• View the contents of an asset or identity lookup table
• Identify A&I field matching criteria

Module 6 - Adaptive Responses

• Describe Adaptive Responses
• Identify the default ES Adaptive Responses
• Discuss Adaptive Response invocation methods
• Troubleshoot Adaptive Response issues

Module 7 - Security Domain Dashboards

• Use ES to inspect events containing information relevant to active or past incident investigation
• Identify ES Security Domains
• Use the Security Domain dashboards
• Launch Security Domain dashboards from the Analyst Queue and from field action menus in search results

Module 8 - Intelligence Dashboards

• Use the Web Intelligence dashboards to analyze your network environment
• Filter and highlight events
• Understand and use User Intelligence dashboards
• Use Investigators to analyze events related to an asset or identity
• Use Access Anomalies to detect suspicious access patterns

Module 9 - Threat Intelligence

• Give an overview of the Threat Intelligence framework
• Identify where Threat Intelligence is configured
• Observe Threat Findings
• View downloaded Threat Indicators
• Troubleshooting Threat Intelligence

Module 10 - Protocol Intelligence

• Explain how network data is input into Splunk events
• Describe stream events
• Give an overview of the Protocol Intelligence dashboards and how they can be used to analyze network data

Zielgruppe Seminar

• Splunk administrators.

Voraussetzungen

To be successful, students should have a working understanding of the topics covered in the following Splunk courses:

• Intro to Splunk (eLearning)
• Using Fields (SUF)
• Visualizations
• Search Under the Hood
• Intro to Knowledge Objects
• Introduction to Dashboards (ITD)

Seminarinhalt

Module 1 - Getting Started with ES

• Describe the features and capabilities of Splunk Enterprise Security (ES)
• Explain how ES helps security practitioners prevent, detect, and respond to threats
• Describe correlation searches, data models, and notable events
• Describe user roles in ES
• Log into Splunk Web and access Splunk for Enterprise Security

Module 2 - Security Monitoring and Incident Investigation

• Use the Security Posture dashboard to monitor ES status
• Use the Incident Review dashboard to investigate notable events
• Take ownership of an incident and move it through the investigation workflow
• Create notable events
• Suppress notable events

Module 3 – Risk-Based Alerting

• Give an overview of Risk-Based Alerting
• View Risk Notables and risk information on the Incident Review dashboard
• Explain risk scores and how to change an object's risk score
• Review the Risk Analysis dashboard
• Describe annotations
• Describe the process for retrieving LDAP data for an asset or identity lookup

Module 4 – Assets & Identities

• Give an overview of the ES Assets and Identities framework
• Show examples where asset or identity data is missing from ES dashboards or notable events
• View the Asset & Identity Management Interface
• View the contents of an asset or identity lookup table

Module 5 – Investigations

• Use investigations to manage incident response activity
• Use the investigation workbench to manage, visualize, and coordinate incident investigations
• Add various items to investigations (notes, action history, collaborators, events, assets, identities, files, and URLs)
• Use investigation timelines, lists, and summaries to document and review breach analysis and mitigation efforts

Module 6 – Security Domain Dashboards

• Describe the ES security domains
• Use the Security Domain dashboards to troubleshoot various security threats
• Learn how to launch the Security Domain dashboards from Incidents Review and from a notable event Action menu

Module 7 – User Intelligence

• Understand and use user activity analysis
• Use investigators to analyze events related to an asset or identity
• Use access anomalies to detect suspicious access patterns

Module 8 – Web Intelligence

• Use the web intelligence dashboards to analyze your network environment
• Filter and highlight events

Module 9 – Threat Intelligence

• Give an overview of the Threat Intelligence framework and how threat intel is configured in ES
• Use the Threat Activity dashboard to see which threat sources are interacting with your environment
• Use the Threat Artifacts dashboard to examine the status of threat intelligence information in your environment

Module 10 – Protocol Intelligence

• Explain how network data is input into Splunk events
• Describe stream events
• Give an overview of the Protocol Intelligence dashboards and how they can be used to analyze network data

Hinweise

Partner

Dieses Seminar bieten wir in Kooperation mit unserem Splunk Learning Partner Fast Lane Institute for Knowledge Transfer GmbH an.

Open Badge für dieses Seminar - Ihr digitaler Kompetenznachweis

Durch die erfolgreiche Teilnahme an einem Kurs bei IT-Schulungen.com erhalten Sie zusätzlich zu Ihrem Teilnehmerzertifikat ein digitales Open Badge (Zertifikat) – Ihren modernen Nachweis für erworbene Kompetenzen.

Ihr Open Badge ist jederzeit in Ihrem persönlichen und kostenfreien Mein IT-Schulungen.com-Konto verfügbar. Mit wenigen Klicks können Sie diesen digitalen Nachweis in sozialen Netzwerken teilen, um Ihre Expertise sichtbar zu machen und Ihr berufliches Profil gezielt zu stärken.

Übersicht: Splunk Schulungen Portfolio

Mehr zu den Vorteilen von Badges

Gesicherte Kurstermine

Seminare kurz vor der Durchführung