Using Splunk Enterprise Security

Struktura kurzu

Tato část není lokalizována

Module 1 – Getting Started with ES

• Describe the features and capabilities of Splunk Enterprise Security (ES)
• Explain how ES helps security practioners prevent, detect, and respond to threats
• Describe correlation searches, data models and notable events
• Describe user roles in ES
• Log into Splunk Web and access Splunk for Enterprise Security

Module 2 – Security Monitoring and Incident Investigation

• Use the Security Posture dashboard to monitor ES status
• Use the Incident Review dashboard to investigate notable events
• Take ownership of an incident and move it through the investigation workflow
• Use adaptive response actions during incident investigation
• Create notable events
• Suppress notable events

Module 3 –  Risk-Based Alerting

• Give an overview of Risk-Based Alerting
• View Risk Notables and risk information on the Incident Review dashboard
• Explain risk scores and how to change an object’s risk score
• Review the Risk Analysis dashboard
• Describe annotations
• Describe the process for retrieving LDAP data for an asset or indentify lookup

Module 4 – Investigations

• Use investigations to manage incident response activity
• Use the investigation Workbench to manage, visualize and coordinate incident investigations
• Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)
• Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts

Module 5 – Using Security Domain Dashboard

• Use ES to inspect events containing information relevant to active or past incident investigation
• Identify security domains in ES
• Use ES security domain dashboards
• Launch security domain dashboards from incident Review and from action menus in search results

Module 6 – Web Intelligence

• Use the web intelligence dashboards to analyze your network environment
• Filter ad highlight events

Module 7 – User Intelligence

• Evaluate the level of insider threat with the user activity and access anomaly dashboards
• Understand asset and identity concepts
• Use the Asset and identify Investigator to analyze events
• Use the session center for identity resolution
• Discuss Splunk User Behavior Analytics (UBA) integration

Module 8 – Threat Intelligence

• Give an overview of the Threat Intelligence framework abd how threat intel is configured in ES
• Use the Threat Activity dashboard to see which threat sources are interacting with your environment
• Use the Threat Artifacts dashboard to examine the status of threat intelligence information in your environment

Module 9 – Protocol Intelligence

• Explain how network data is input into Splunk events
• Describe Stream events
• Give an overview of the Protocol intelligence dashboards and how they can be used to analyze network data