Objetivo

Após realizar este Curso Administering Splunk Enterprise Security Workshop você será capáz de:

• Forneça uma visão geral do Splunk Enterprise Security (ES)
• Personalize painéis ES
• Examine a estrutura de risco ES e alertas baseados em risco (RBA)
• Personalize o ambiente de investigação
• Entenda a instalação e configuração inicial do ES
• Gerencie a entrada e a normalização de dados para ES
• Crie e ajuste pesquisas de correlação
• Configurar pesquisas ES
• Configurar ativos e identidades e inteligência contra ameaças

Publico Alvo

• Este Curso Administering Splunk Enterprise Security Workshop, prepara arquitetos e administradores de sistemas para instalar e configurar o Splunk Enterprise Security (ES).

Materiais

Conteúdo Programatico

Introduction to ES

1. Review how ES functions
2. Understand how ES uses data models
3. Describe correlation searches, adaptive response actions, and notable events
4. Configure ES roles and permissions

Security Monitoring

1. Customize the Security Posture and Incident Review dashboards
2. Create ad hoc notable events
3. Create notable event suppressions

Risk-Based Alerting

1. Give an overview of Risk-Based Alerting (RBA)
2. Explain risk scores and how they can be changed
3. Review the Risk Analysis dashboard
4. Describe annotations
5. View Risk Notables and risk information

Incident Investigation

1. Review the Investigations dashboard
2. Customize the Investigation Workbench
3. Manage investigations

Installation

1. Give an overview of general ES install requirements
2. Explain the different add-ons and where they are installed
3. Provide ES pre-installation requirements
4. Identify steps for downloading and installing ES

General Configuration

1. Set general configuration options
2. Configure local and cloud domain information
3. Work with the Incident Review KV Store
4. Customize navigation
5. Configure Key Indicator searches

Validating ES Data

1. Verify data is correctly configured for use in ES
2. Validate normalization configurations
3. Install additional add-ons

Custom Add-ons

1. Ingest custom data in ES
2. Create an add-on for a custom sourcetype
3. Describe add-on troubleshooting

Tuning Correlation Searches

1. Describe correlation search operation
2. Customize correlation searches
3. Describe numeric vs. conceptual thresholds

Creating Correlation Searches

1. Create a custom correlation search
2. Manage adaptive responses
3. Export/import content

Asset & Identity Management

1. Review the Asset and Identity Management interface
2. Describe Asset and Identity KV Store collections
3. Configure and add asset and identity lookups to the interface
4. Configure settings and fields for asset and identity lookups
5. Explain the asset and identity merge process
6. Describe the process for retrieving LDAP data for an asset or identity lookup

Managing Threat Intelligence

1. Understand and configure threat intelligence
2. Use the Threat Intelligence Management interface
3. Configure new threat lists

Supplemental Apps

1. Review apps to enhance the capabilities of ES including, Mission
2. Control, SOAR, UBA, Cloud-based Streaming Analytics, PCI
3. Compliance, Fraud Analytics, and Lookup File Editor