Administering Splunk Enterprise SecurityASESSPSplunkSP-ASES8.1<p>To be successful, students must have completed the following Splunk Education course:
</p>
<ul>
<li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-uses"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Using Splunk Enterprise Security <span class="fl-prod-pcode">(USES)</span></a></span></li></ul><p>Students should also be familiar with the topics covered in the following courses:
</p>
<ul>
<li>Intro to Splunk</li><li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-suf"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Using Fields <span class="fl-prod-pcode">(SUF)</span></a></span></li><li>Visualizations</li><li>Search Under the Hood</li><li>Intro to Knowledge Objects</li><li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-cko"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Creating Knowledge Objects <span class="fl-prod-pcode">(CKO)</span></a></span></li><li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-cfe"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Creating Field Extractions <span class="fl-prod-pcode">(CFE)</span></a></span></li><li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-edl"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Enriching Data with Lookups <span class="fl-prod-pcode">(EDL)</span></a></span></li><li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-sdm"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Data Models <span class="fl-prod-pcode">(SDM)</span></a></span></li><li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-itd"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Introduction to Dashboards <span class="fl-prod-pcode">(ITD)</span></a></span></li><li><span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-sesa"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Splunk Enterprise System Administration <span class="fl-prod-pcode">(SESA)</span></a></span> AND <span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-seda"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Splunk Enterprise Data Administration <span class="fl-prod-pcode">(SEDA)</span></a></span> OR <span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/splunk-sca"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Splunk Cloud Administration <span class="fl-prod-pcode">(SCA)</span></a></span></li></ul><ul>
<li>SOC Analyst</li><li>SOC Engineer</li></ul><h5>Module 1 - Introduction to Enterprise Security</h5><ul>
<li>Explain the function of a SIEM</li><li>Give an overview of Splunk’s Enterprise Security (ES)</li><li>Describe detections and findings</li><li>Configure ES roles and permissions</li><li>Give an overview of ES navigation</li></ul><h5>Module 2 - Customizing the Analyst Queue and findings</h5><ul>
<li>Give an overview of the Analyst Queue</li><li>Create and use Analyst Queue Views</li><li>Customize the Analyst Queue</li><li>Modify Urgency</li><li>Create new Status values</li><li>Add fields to Finding attributes</li><li>Create ad hoc Findings</li><li>Suppress Findings</li></ul><h5>Module 3 - Working with Investigations</h5><ul>
<li>Give an overview of an investigation</li><li>Use and create Response Plans</li><li>Add Splunk events to an investigation</li><li>Use Playbooks and Actions</li></ul><h5>Module 4 - Asset & Identity Management</h5><ul>
<li>Review the Asset and Identity Management interface</li><li>Describe Asset and Identity KV Store collections</li><li>Configure and add asset and identity lookups to the interface</li><li>Configure settings and fields for asset and identity lookups</li><li>Explain the asset and identity merge process</li><li>Describe the process for retrieving LDAP data for an asset or identity lookup</li></ul><h5>Module 5 - Data Normalization</h5><ul>
<li>Understand how ES uses accelerated data models</li><li>Verify data is correctly configured for use in ES</li><li>Validate normalization configurations</li><li>Install additional add-ons</li><li>Ingest custom data in ES</li><li>Create an add-on for a custom sourcetype</li><li>Describe add-on troubleshooting</li></ul><h5>Module 6 - Detection Engineering</h5><ul>
<li>Give an overview of how to create Event-based detections</li><li>Review the Detection Editor</li><li>Give an overview of how to create Finding-based detections</li></ul><h5>Module 7 - Risk-Based Alerting</h5><ul>
<li>Give an overview of Risk-Based Alerting (RBA)</li><li>Explain risk scores and how they can be changed by detections or manually</li><li>Review the Risk analysis dashboard</li><li>Understand Finding-based detections</li><li>Describe annotations</li><li>View risk information in Analyst Queue findings</li></ul><h5>Module 8 - Managing Threat Intelligence</h5><ul>
<li>Understand and configure threat intelligence</li><li>Use the Threat Intelligence interface to configure threat lists</li><li>Configure new threat lists</li></ul><h5>Module 9 - Post-Deployment Configuration</h5><ul>
<li>Give an overview of general ES install requirements</li><li>Explain the different add-ons and where they are installed</li><li>Provide ES pre-installation requirements</li><li>Describe the Splunk_TA_ForIndexers app and where it is installed</li><li>Set general configuration options</li><li>Configure local and cloud domain information</li><li>Work with the Incident Review KV Store</li><li>Customize navigation</li><li>Configure Key Indicator searches</li></ul>To be successful, students must have completed the following Splunk Education course:
- Using Splunk Enterprise Security (USES)
Students should also be familiar with the topics covered in the following courses:
- Intro to Splunk
- Using Fields (SUF)
- Visualizations
- Search Under the Hood
- Intro to Knowledge Objects
- Creating Knowledge Objects (CKO)
- Creating Field Extractions (CFE)
- Enriching Data with Lookups (EDL)
- Data Models (SDM)
- Introduction to Dashboards (ITD)
- Splunk Enterprise System Administration (SESA) AND Splunk Enterprise Data Administration (SEDA) OR Splunk Cloud Administration (SCA)- SOC Analyst
- SOC EngineerModule 1 - Introduction to Enterprise Security
- Explain the function of a SIEM
- Give an overview of Splunk’s Enterprise Security (ES)
- Describe detections and findings
- Configure ES roles and permissions
- Give an overview of ES navigation
Module 2 - Customizing the Analyst Queue and findings
- Give an overview of the Analyst Queue
- Create and use Analyst Queue Views
- Customize the Analyst Queue
- Modify Urgency
- Create new Status values
- Add fields to Finding attributes
- Create ad hoc Findings
- Suppress Findings
Module 3 - Working with Investigations
- Give an overview of an investigation
- Use and create Response Plans
- Add Splunk events to an investigation
- Use Playbooks and Actions
Module 4 - Asset & Identity Management
- Review the Asset and Identity Management interface
- Describe Asset and Identity KV Store collections
- Configure and add asset and identity lookups to the interface
- Configure settings and fields for asset and identity lookups
- Explain the asset and identity merge process
- Describe the process for retrieving LDAP data for an asset or identity lookup
Module 5 - Data Normalization
- Understand how ES uses accelerated data models
- Verify data is correctly configured for use in ES
- Validate normalization configurations
- Install additional add-ons
- Ingest custom data in ES
- Create an add-on for a custom sourcetype
- Describe add-on troubleshooting
Module 6 - Detection Engineering
- Give an overview of how to create Event-based detections
- Review the Detection Editor
- Give an overview of how to create Finding-based detections
Module 7 - Risk-Based Alerting
- Give an overview of Risk-Based Alerting (RBA)
- Explain risk scores and how they can be changed by detections or manually
- Review the Risk analysis dashboard
- Understand Finding-based detections
- Describe annotations
- View risk information in Analyst Queue findings
Module 8 - Managing Threat Intelligence
- Understand and configure threat intelligence
- Use the Threat Intelligence interface to configure threat lists
- Configure new threat lists
Module 9 - Post-Deployment Configuration
- Give an overview of general ES install requirements
- Explain the different add-ons and where they are installed
- Provide ES pre-installation requirements
- Describe the Splunk_TA_ForIndexers app and where it is installed
- Set general configuration options
- Configure local and cloud domain information
- Work with the Incident Review KV Store
- Customize navigation
- Configure Key Indicator searches2 jours1500.001250.001500.001500.001500.001500.001500.001500.002070.001650.001500.001500.00150.00150.00150.00150.00150.00150.00150.00150.00150.00150.00