Module 1 – Introduction to ES
- Review how ES functions
- Understand how ES uses data models
- Configure ES roles and permissions
Module 2 – Security Monitoring
- Customize the Security Posture and Incident Review dashboards
- Create ad hoc notable events
- Create notable event suppressions
Module 3 – Risk-Based Alerting
- Explain Risk-Based Alerting
- Explain risk scores
- Review the Risk Analysis dashboard
- Use annotations
Module 4 – Incident Investigation
- Review the Investigations dashboard
- Customize the Investigation Workbench
- Manage investigations
Module 5 – Installation
- Prepare a Splunk environment for installation
- Download and install ES on a search head
- Test a new install
- Post-install configuration tasks
Module 6 – Initial Configuration
- Set general configuration options
- Add external integrations
- Configure local domain information
- Customize navigation
- Configure Key Indicator searches
Module 7 – Validating ES Data
- Verify data is correctly configured for use in ES
- Validate normalization configurations
- Install additional add-ons
Module 8 – Custom Add-ons
- Design a new add-on for custom data
- Use the Add-on Builder to build a new add-on
Module 9 – Tuning Correlation Searches
- Configure correlation search scheduling and sensitivity
- Tune ES correlation searches
Module 10 – Creating Correlation Searches
- Create a custom correlation search
- Manage adaptive responses
- Export/Import content
Module 11 – Asset & Identity Management
- Review the Asset and Identity Management interface
- Describe Asset and Identity KV Store collections
- Configure and add asset and identity lookups to the interface
- Configure settings and fields for asset and identity lookups
- Explain the asset and identity merge process
- Describe the process for retrieving LDAP data for an asset or identity lookup
Module 12 – Manage Threat Intelligence
- Understand and configure threat intelligence
- Use the Threat Intelligence Management interface to configure a new threat list