Administering Splunk Enterprise Security (ASES)

Module 1 - Introduction to Enterprise Security

Explain the function of a SIEM

Give an overview of Splunk™s Enterprise Security (ES)

Describe detections and findings

Configure ES roles and permissions

Give an overview of ES navigation\nModule 2 - Customizing the Analyst Queue and findings

Give an overview of the Analyst Queue

Create and use Analyst Queue Views

Customize the Analyst Queue

Modify Urgency

Create new Status values

Add fields to Finding attributes

Create ad hoc Findings

Suppress Findings\nModule 3 - Working with Investigations

Give an overview of an investigation

Use and create Response Plans

Add Splunk events to an investigation

Use Playbooks and Actions\nModule 4 - Asset & Identity Management

Review the Asset and Identity Management interface

Describe Asset and Identity KV Store collections

Configure and add asset and identity lookups to the interface

Configure settings and fields for asset and identity lookups

Explain the asset and identity merge process

Describe the process for retrieving LDAP data for an asset or identity lookup\nModule 5 - Data Normalization

Understand how ES uses accelerated data models

Verify data is correctly configured for use in ES

Validate normalization configurations

Install additional add-ons

Ingest custom data in ES

Create an add-on for a custom sourcetype

Describe add-on troubleshooting\nModule 6 - Detection Engineering

Give an overview of how to create Event-based detections

Review the Detection Editor

Give an overview of how to create Finding-based detections\nModule 7 - Risk-Based Alerting

Give an overview of Risk-Based Alerting (RBA)

Explain risk scores and how they can be changed by detections or manually

Review the Risk analysis dashboard

Understand Finding-based detections

Describe annotations

View risk information in Analyst Queue findings\nModule 8 - Managing Threat Intelligence

Understand and configure threat intelligence

Use the Threat Intelligence interface to configure threat lists

Configure new threat lists\nModule 9 - Post-Deployment Configuration

• Give an overview of general ES install requirements
• Explain the different add-ons and where they are installed
• Provide ES pre-installation requirements
• Describe the Splunk_TA_ForIndexers app and where it is installed
• Set general configuration options
• Configure local and cloud domain information
• Work with the Incident Review KV Store
• Customize navigation
• Configure Key Indicator searches

To be successful, students must have completed the following Splunk Education course:\n\n\n\n- Using Splunk Enterprise Security (USES)\nStudents should also be familiar with the topics covered in the following courses:\n\n\n\n- Intro to Splunk\n- Using Fields (SUF)\n- Visualizations\n- Search Under the Hood\n- Intro to Knowledge Objects\n- Creating Knowledge Objects (CKO)\n- Creating Field Extractions (CFE)\n- Enriching Data with Lookups (EDL)\n- Data Models (SDM)\n- Introduction to Dashboards (ITD)\n- Splunk Enterprise System Administration (SESA) AND Splunk Enterprise Data Administration (SEDA) OR Splunk Cloud Administration (SCA)

- SOC Analyst\n- SOC Engineer