Using Splunk Enterprise Security (USES)

• ES concepts, features, and capabilities
• Assets and identities
• Security monitoring and Incident investigation
• Use risk-based alerting and risk analysis
• Use investigation workbench, timelines, list and summary tools
• Detecting known types of threats
• Monitoring for new types of threats
• Using analytical tools
• Analyze user behavior for insider threats
• Use threat intelligence tools
• Use protocol intelligence and live stream data

Prerequisites

Topic 1 – Getting Started with ES

• Describe the features and capabilities of Splunk Enterprise Security (ES)
• Explain how ES helps security practitioners prevent, detect, and respond to threats
• Describe correlation searches, data models, and notable events
• Describe user roles in ES
• Log into Splunk Web and access Splunk for Enterprise Security

Topic 2 – Security Monitoring and Incident Investigation

• Use the Security Posture dashboard to monitor ES status
• Use the Incident Review dashboard to investigate notable events
• Take ownership of an incident and move it through the investigation workflow
• Create notable events
• Suppress notable events

Topic 3 – Risk-Based Alerting

• Give an overview of Risk-Based Alerting
• View Risk Notables and risk information on the Incident Review dashboard
• Explain risk scores and how to change an object’s risk score
• Review the Risk Analysis dashboard
• Describe annotations
• Describe the process for retrieving LDAP data for an asset or identity lookup

Topic 4 – Investigations

• Use investigations to manage incident response activity
• Use the Investigation Workbench to manage, visualize and coordinate incident investigations
• Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)
• Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts

Topic 5 – Using Security Domain Dashboards

• Use ES to inspect events containing information relevant to active or past incident investigation
• Identify security domains in ES
• Use ES security domain dashboards
• Launch security domain dashboards from Incident Review and from action menus in search results

Topic 6 – Web Intelligence

• Use the web intelligence dashboards to analyze your network environment
• Filter and highlight events

Topic 7 – User Intelligence

• Evaluate the level of insider threat with the user activity and access anomaly dashboards
• Understand asset and identity concepts
• Use the Asset and Identity Investigators to analyze events
• Use the session center for identity resolution
• Discuss Splunk User Behavior Analytics (UBA) integration

Topic 8 – Threat Intelligence

• Give an overview of the Threat Intelligence framework and how threat intel is configured in ES
• Use the Threat Activity dashboard to see which threat sources are interacting with your environment
• Use the Threat Artifacts dashboard to examine the status of threat intelligence information in your environment

Topic 9 – Protocol Intelligence

• Explain how network data is input into Splunk events
• Describe stream events
• Give an overview of the Protocol Intelligence dashboards and how they can be used to analyze network data