This 13.5 hour course prepares security practitioners to use Splunk Enterprise Security (ES). Use ES to identify and track security incidents, analyze security risks, use predictive analytics, and threat discovery.

Course Topics

• ES concepts
• Security monitoring and Incident investigation
• Assets and identities
• Detecting known types of threats
• Monitoring for new types of threats
• Using analytical tools
• Analyze user behavior for insider threats
• Use risk analysis and threat intelligence tools
• Use protocol intelligence and live stream data
• Use investigation timelines and journal tools
• Build glass tables to display security status

Course Objectives

Module 1 - Getting Started with ES

• Provide an overview of the Splunk App for Enterprise Security (ES)
• Identify the differences between traditional security threats and new adaptive threats
• Describe correlation searches, data models and notable events
• Describe user roles in ES
• Log on to ES

Module 2 - Security Monitoring and Incident Investigation

• Use the Security Posture dashboard to monitor enterprise security status
• Use the Incident Review dashboard to investigate notable events
• Take ownership of an incident and move it through the investigation workflow
• Use adaptive response actions during incident investigation
• Create notable events
• Suppress notable events

Module 3 - Investigation Timelines

• Use ES investigation timelines to manage, visualize and coordinate incident investigations
• Use timelines and journals to document breach analysis and mitigation efforts

Module 4 - Forensic Investigation with ES

• Investigate access domain events
• Investigate endpoint domain events
• Investigate network domain events
• Investigate identity domain events

Module 5 - Risk and Network Analysis

• Understand and use Risk Analysis
• Use the Risk Analysis dashboard
• Assign risk scores

Module 6 - Web Intelligence

• Use HTTP Category Analysis, HTTP User Agent Analysis, New Domain Analysis, and Traffic Size Analysis to spot new threats
• Filter and highlight events

Module 7 - User Intelligence

• Evaluate the level of insider threat with the user activity and access anomaly dashboards
• Understand asset and identity concepts
• Use the Asset Investigator to analyze events related to an asset
• Use the Identity Investigator to analyze events related to an identity
• Examine asset and identity lookup tables

Module 8 - Threat Intelligence

• Use the Threat Activity dashboard to analyze traffic to or from known malicious sites
• Inspect the status of your threat intelligence content with the threat artifact dashboard

Module 9 - Protocol Intelligence

• Use ES predictive analytics to make forecasts and view trends

Module 10 - Glass Tables

• Build glass tables to display security status information
• Create new key indicators for metrics on glass tables

Course website

This nine-hour course is designed for power users who want to create complex dashboards, forms, and visualizations. Its emphasis is on editing simple XML to create dashboards that use tokens, post-process searches, dynamic drilldowns, and custom stylesheets. Students also use custom JavaScript to add advanced visualizations and behaviors to dashboards.

Course Topics

• Prototyping
• Using Tokens
• Improving Performance
• Customizing Views
• Using Event Handlers
• Adding Simple XML Extensions

Course Objectives

Module 1 - Creating a Prototype

• Define the simple XML syntax
• Use best practices for creating views
• Identify primary transforming commands
• Troubleshoot a view

Module 2 - Using Tokens

• Explain how tokens work
• Define types of token filters
• Use tokens with form inputs
• Create cascading inputs

Module 3 - Improving Performance

• Identify methods to improve performance
• Improve search efficiency
• Accelerate searches
• Use tstats with global searches

Module 4 - Customizing Dashboards

• Customize chart colors
• Set panel refresh and delay times
• Disable search features

Module 5 - Using Event Handlers

• Identify types of event handlers
• Name event actions
• Use conditional matching
• Create dynamic drilldowns

Module 6 - Adding Advanced Visualizations & Behaviors

• Use simple XML extensions
• Identify types of search managers
• Define Splunk custom visualizations
• Troubleshoot simple XML extensions

Course website

This 20-hour course prepares system administrators to configure and manage Splunk. Topics include installation, configuring data inputs and forwarders, data management, user accounts, licenses, and troubleshooting and monitoring. The focus in this class is the knowledge, best practices, and configuration details for Splunk administration in a medium to large distributed deployment environment.

Course Topics

• Installation
• License management
• Managing Splunk apps
• Splunk configuration files
• Splunk index management
• Users, roles, and authentication
• Universal forwarder
• Forwarder management
• Data inputs in detail
• Event Parsing with data preview
• Manipulating raw data
• Supporting knowledge objects
• Distributed search
• Basic performance tuning
• Problem isolation overview
• Introduction to large-scale Splunk deployment

Course Modules

Setting up a Splunk Enterprise Environment

• Module 1 - Setting up Splunk
• Module 2 - License management
• Module 3 - Splunk apps
• Module 4 - Splunk configuration files
• Module 5 - Splunk index management
• Module 6 - Users, roles, and authentication

Building a Basic Production Environment

• Module 7 - Universal forwarder
• Module 8 - Forwarder management

Splunk Inputs

• Module 9 - Getting data in
• Module 10 - Monitor inputs
• Module 11 - Network and scripted inputs
• Module 12 - Windows and agentless inputs
• Module 13 - Fine-tuning Inputs

Parsing and Searching

• Module 14 - Parsing phase and data preview
• Module 15 - Manipulating raw data
• Module 16 - Supporting knowledge objects
• Module 17 - Distributed search

Splunk Resource Management

• Module 18 - Basic performance tuning
• Module 19 - Problem isolation overview
• Module 20 - Introduction to large-scale deployment

Course website

This nine-hour course focuses on large enterprise deployments. Best practices for planning, data collection and sizing for a distributed deployment. Workshop-style labs challenge students to make design decisions about an example enterprise deployment.

Course Topics

• Requirements definition
• Index and infrastructure planning
• Data collection
• Forwarders
• Managing Deployments
• Data comprehension
• Search considerations
• Operations and management

Course Objectives

Module 1 - Introduction

• Overview of the Splunk deployment planning process and associated tools

Module 2 - Initial Requirements Definition

• Identify critical information about environment, volume, users, and requirements
• Review checklists and resources to aid in collecting requirements

Module 3 - Apps and Index Design

• Design and size indexes
• Plan app deployment

Module 4 - Infrastructure

• Learn sizing factors for servers
• Understand how reference hardware is used to scale deployments
• Identify the impact of clustering for index replication and for search heads
• Identify best practices for authentication, authorization and access control

Module 5 - Data Collection

• Compare agent-based and agentless data collection methods
• Discuss data inputs
• Compare remote collection methods

Module 6 - Forwarders and Deployment Management

• Review types of forwarders
• Understand how to manage forwarder installation
• Understand configuration management for all Splunk components, using Splunk deployment tools

Module 7 - Data Comprehension and Enrichment

• Identify the six things you must get correct at index time
• Discuss Common Information Model
• Discuss Data Models and data model design
• Discuss data enrichment, including lookups and KV Store

Module 8 - Search Considerations

• Discuss search performance
• Discuss differences between summarization methods

Module 9 - Integration

• Describe integration methods
• Identify common integration points

Module 10 - Operations and Management

• Identify ongoing tasks in a Splunk deployment
• Identify backup and archiving methods
• Discuss onboarding processes
• Review monitoring tools and apps

Course website

This course covers implementing analytics and data science projects using Splunk's statistics, machine learning, built-in and custom visualization capabilities.

Course Topics

• Analytics Framework
• Exploratory Data Analysis
• Machine Learning
• Using Algorithms to Build Models
• Market Segmentation
• Transactional Analysis
• Anomaly Detection
• Estimation and Prediction
• Classification

Course Objectives

Module 1 - Analytics Framework

• Define terms related to analytics and data science
• Describe the framework for multi-departmental analytics projects
• Identify analytics project best practices
• Identify common use cases

Module 2 - Exploratory Data Analysis

• Define exploratory data analysis
• Describe Splunk exploratory data analysis solutions

Module 3 - Machine Learning Workflow

• Define some concepts and terms associated with machine learning
• Describe the machine learning workflow
• Split data for training and testing models
• Use Machine Learning Toolkit Showcases and Assistants

Module 4- Using Algorithms to Build Models

• Use Machine Learning Toolkit commands and features
• Use and compare algorithms
• Refine models

Module 5- Market Segmentation and Transactional Analysis

• Describe market segmentation and transactional analysis
• Define use cases and solutions

Module 6 - Anomaly Detection

• Define anomaly detection
• Identify anomaly detection use cases
• Describe Splunk anomaly detection solutions

Module 7 - Estimation and Prediction

• Define estimation and prediction
• Identify estimation and prediction use cases
• Describe Splunk estimation and prediction solutions

Module 8 - Classification

• Define key classification terms
• Evaluate classifier results

Course website