Using Splunk Enterprise SecurityUSESSPSplunkSP-USES8<p>To be successful, students should have a working understanding of the topics covered in the following Splunk courses:</p>
<ul>
<li>Intro to Splunk (eLearning)</li><li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/en/course/splunk-suf"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Using Fields <span class="fl-prod-pcode">(SUF)</span></a></span></li><li>Visualizations</li><li>Search Under the Hood</li><li>Intro to Knowledge Objects</li><li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/en/course/splunk-itd"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Introduction to Dashboards <span class="fl-prod-pcode">(ITD)</span></a></span></li></ul><p>SOC Analysts.</p><h5>Module 1 - ES Fundamentals</h5><ul>
<li>Explain the function of a SIEM</li><li>Give an overview of Splunk Enterprise Security (ES)</li><li>Understand how ES uses data models</li><li>Describe detections and findings</li><li>Identify ES roles and permissions</li><li>Give an overview of ES navigation</li></ul><h5>Module 2 - Exploring the Analyst Queue</h5><ul>
<li>Explore the Analyst Queue</li><li>Filtering</li><li>Triage Findings and Finding Groups</li><li>Create ad hoc Findings</li><li>Suppress Findings from the Analyst Queue</li></ul><h5>Module 3 - Working with Investigations</h5><ul>
<li>Give an overview of an investigation</li><li>Demonstrate how to create an investigation</li><li>Use Response Plans</li><li>Add Splunk events to an investigation</li><li>Use Playbooks and Actions</li></ul><h5>Module 4 - Risk-based Alerting</h5><ul>
<li>Give an overview of risk and Risk-Based Alerting (RBA)</li><li>Explain risk scores and how to change an entity's risk score</li><li>Review the Risk Analysis dashboard</li><li>Describe annotations</li><li>View risk information in Analyst Queue findings</li></ul><h5>Module 5 - Assets & Identities</h5><ul>
<li>Give an overview of the ES Assets and Identities (A&I) framework</li><li>Show where asset or identity data is missing from ES findings or dashboards</li><li>View the A&I Management Interface</li><li>View the contents of an asset or identity lookup table</li><li>Identify A&I field matching criteria</li></ul><h5>Module 6 - Adaptive Responses</h5><ul>
<li>Describe Adaptive Responses</li><li>Identify the default ES Adaptive Responses</li><li>Discuss Adaptive Response invocation methods</li><li>Troubleshoot Adaptive Response issues</li></ul><h5>Module 7 - Security Domain Dashboards</h5><ul>
<li>Use ES to inspect events containing information relevant to active or past incident investigation</li><li>Identify ES Security Domains</li><li>Use the Security Domain dashboards</li><li>Launch Security Domain dashboards from the Analyst Queue and from field action menus in search results</li></ul><h5>Module 8 - Intelligence Dashboards</h5><ul>
<li>Use the Web Intelligence dashboards to analyze your network environment</li><li>Filter and highlight events</li><li>Understand and use User Intelligence dashboards</li><li>Use Investigators to analyze events related to an asset or identity</li><li>Use Access Anomalies to detect suspicious access patterns</li></ul><h5>Module 9 - Threat Intelligence</h5><ul>
<li>Give an overview of the Threat Intelligence framework</li><li>Identify where Threat Intelligence is configured</li><li>Observe Threat Findings</li><li>View downloaded Threat Indicators</li><li>Troubleshooting Threat Intelligence</li></ul><h5>Module 10 - Protocol Intelligence</h5><ul>
<li>Explain how network data is input into Splunk events</li><li>Describe stream events</li><li>Give an overview of the Protocol Intelligence dashboards and how they can be used to analyze network data</li></ul>To be successful, students should have a working understanding of the topics covered in the following Splunk courses:
- Intro to Splunk (eLearning)
- Using Fields (SUF)
- Visualizations
- Search Under the Hood
- Intro to Knowledge Objects
- Introduction to Dashboards (ITD)SOC Analysts.Module 1 - ES Fundamentals
- Explain the function of a SIEM
- Give an overview of Splunk Enterprise Security (ES)
- Understand how ES uses data models
- Describe detections and findings
- Identify ES roles and permissions
- Give an overview of ES navigation
Module 2 - Exploring the Analyst Queue
- Explore the Analyst Queue
- Filtering
- Triage Findings and Finding Groups
- Create ad hoc Findings
- Suppress Findings from the Analyst Queue
Module 3 - Working with Investigations
- Give an overview of an investigation
- Demonstrate how to create an investigation
- Use Response Plans
- Add Splunk events to an investigation
- Use Playbooks and Actions
Module 4 - Risk-based Alerting
- Give an overview of risk and Risk-Based Alerting (RBA)
- Explain risk scores and how to change an entity's risk score
- Review the Risk Analysis dashboard
- Describe annotations
- View risk information in Analyst Queue findings
Module 5 - Assets & Identities
- Give an overview of the ES Assets and Identities (A&I) framework
- Show where asset or identity data is missing from ES findings or dashboards
- View the A&I Management Interface
- View the contents of an asset or identity lookup table
- Identify A&I field matching criteria
Module 6 - Adaptive Responses
- Describe Adaptive Responses
- Identify the default ES Adaptive Responses
- Discuss Adaptive Response invocation methods
- Troubleshoot Adaptive Response issues
Module 7 - Security Domain Dashboards
- Use ES to inspect events containing information relevant to active or past incident investigation
- Identify ES Security Domains
- Use the Security Domain dashboards
- Launch Security Domain dashboards from the Analyst Queue and from field action menus in search results
Module 8 - Intelligence Dashboards
- Use the Web Intelligence dashboards to analyze your network environment
- Filter and highlight events
- Understand and use User Intelligence dashboards
- Use Investigators to analyze events related to an asset or identity
- Use Access Anomalies to detect suspicious access patterns
Module 9 - Threat Intelligence
- Give an overview of the Threat Intelligence framework
- Identify where Threat Intelligence is configured
- Observe Threat Findings
- View downloaded Threat Indicators
- Troubleshooting Threat Intelligence
Module 10 - Protocol Intelligence
- Explain how network data is input into Splunk events
- Describe stream events
- Give an overview of the Protocol Intelligence dashboards and how they can be used to analyze network data2 days1500.001250.001500.001500.001500.001500.001500.001500.001500.002070.001650.001500.00150.00150.00150.00150.00150.00150.00150.00150.00150.00150.00