Administering SplunkEnterprise Security

Duration : 2 Days (16 Hours)

Administering SplunkEnterprise Security Course Overview:

This course is designed to prepare architects and systems administrators for the installation and configuration of Splunk Enterprise Security (ES). It covers various aspects of ES, including event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, risk management, and customizing threat intelligence.

Intended Audience:

  • Splunk Architects: Individuals responsible for designing Splunk Enterprise Security (ES) implementations.
  • Systems Administrators: Professionals involved in the installation, configuration, and management of Splunk ES.
  • Security Practitioners: Those responsible for security monitoring, incident investigation, and risk management.
  • Splunk Administrators: Individuals managing Splunk environments and data sources.
  • Threat Intelligence Analysts: Professionals involved in configuring and managing threat intelligence in Splunk ES.
  • IT Professionals: Including those responsible for network and system security.
  • Anyone interested in becoming proficient in the deployment and configuration of Splunk Enterprise Security.

Learning Objectives of Administering SplunkEnterprise Security:

  • Overview of Splunk Enterprise Security (ES)
  • Customizing ES Dashboards
  • Examining the ES Risk Framework and Risk-based Alerting (RBA)
  • Customizing the Investigation Workbench
  • Initial ES Installation and Configuration
  • Managing Data Intake and Normalization for ES
  • Creating and Tuning Correlation Searches
  • Configuring ES Lookups
  • Configuring Assets & Identities
  • Configuring Threat Intelligence

Module 1: Introduction to ES

  • How ES functions
  • ES use of data models
  • Correlation searches, adaptive response actions, and notable events
  • Configuring ES roles and permissions

Module 2: Security Monitoring

  • Customizing Security Posture and Incident Review dashboards
  • Creating ad hoc notable events
  • Creating notable event suppressions

Module 3: Risk-Based Alerting

  • Overview of Risk-Based Alerting (RBA)
  • Changing risk scores
  • Risk Analysis dashboard
  • Annotations
  • Viewing Risk Notables and risk information

Module 4: Incident Investigation

  • Reviewing the Investigations dashboard
  • Customizing the Investigation Workbench
  • Managing investigations

Module 5: Installation

  • General ES installation requirements
  • Add-ons and their installation locations
  • ES pre-installation requirements
  • Steps for downloading and installing ES

Module 6: General Configuration

  • Setting general configuration options
  • Configuring local and cloud domain information
  • Working with the Incident Review KV Store
  • Customizing navigation
  • Configuring Key Indicator searches

Module 7: Validating ES Data

  • Verifying data configuration for ES
  • Validating normalization configurations
  • Installing additional add-ons

Module 8: Custom Add-ons

  • Ingesting custom data in ES
  • Creating an add-on for a custom sourcetype
  • Add-on troubleshooting

Module 9: Tuning Correlation Searches

  • Correlation search operation
  • Customizing correlation searches
  • Numeric vs. conceptual thresholds

Module 10: Creating Correlation Searches

  • Creating custom correlation searches
  • Managing adaptive responses
  • Exporting/importing content

Module 11: Asset & Identity Management

  • Reviewing the Asset and Identity Management interface
  • Asset and Identity KV Store collections
  • Configuring and adding asset and identity lookups to the interface
  • Configuring settings and fields for asset and identity lookups
  • Asset and identity merge process
  • Retrieving LDAP data for asset or identity lookup

Module 12: Managing Threat Intelligence

  • Configuring threat intelligence
  • Using the Threat Intelligence Management interface
  • Configuring new threat lists

Module 13: Supplemental Apps

  • Reviewing apps to enhance ES capabilities, including Mission Control, SOAR, UBA, Cloud-based Streaming Analytics, PCI Compliance, Fraud Analytics, and Lookup File Editor

Administering SplunkEnterprise Security Course Prerequisites:

To excel in this course, students should have a solid understanding of the following prerequisites:

  • Using Splunk Enterprise Security
  • What is Splunk?
  • Intro to Splunk
  • Using Fields
  • Introduction to Knowledge Objects
  • Creating Knowledge Objects
  • Creating Field Extractions
  • Enriching Data with Lookups
  • Data Models
  • Splunk Enterprise System Administration
  • Splunk Enterprise Data Administration

Discover the perfect fit for your learning journey

Choose Learning Modality

Live Online

  • Convenience
  • Cost-effective
  • Self-paced learning
  • Scalability


  • Interaction and collaboration
  • Networking opportunities
  • Real-time feedback
  • Personal attention


  • Familiar environment
  • Confidentiality
  • Team building
  • Immediate application

Training Exclusives

This course comes with following benefits:

  • Practice Labs.
  • Get Trained by Certified Trainers.
  • Access to the recordings of your class sessions for 90 days.
  • Digital courseware
  • Experience 24*7 learner support.

Got more questions? We’re all ears and ready to assist!

Request More Details

Please enable JavaScript in your browser to complete this form.

Subscribe to our Newsletter

Please enable JavaScript in your browser to complete this form.