Tuning and Creating Correlation Searches in Splunk Enterprise Security
Learn to plan, design, develop, tune, and deploy correlation searches in Splunk Enterprise Security v6. Understand and manage ES-specific lookups as well as setting up the Asset and Identity framework for data enrichment and helping investigations.
What you'll learn
Splunk Enterprise Security uses correlation searches to provide visibility into security-related threats and vulnerabilities, and generates notable events to track identified threats. In this course, Tuning and Creating Correlation Searches in Splunk Enterprise Security, you will gain the ability to create and tune correlation searches in Splunk Enterprise Security. First, you will learn how to tune and customize available correlation searches in Splunk Enterprise Security as well as plan, create, and deploy custom correlation searches specific to your environment. Next, you will discover ES-specific lookups and learn how to create and customize them. Finally, you will explore how to setup and manage assets and identities in Splunk ES for data enrichment purposes. When you are finished with this course, you will have the skills and knowledge of tuning and creating correlation searches needed to administer the incident management, and assets and identity frameworks of Splunk Enterprise Security.
Table of contents
- Overview 1m
- Correlation Search Life-cycle 2m
- Components of a Correlation Search 8m
- Demo: Components of a Correlation Search 5m
- Demo: Dissecting Risk Analysis and Notable Response Actions 10m
- Demo: Cloning a Correlation Search and Adding Incident Review Attributes 6m
- Understanding Thresholds in Correlation Searches 3m
- Demo: Understanding Thresholds in Correlation Searches 4m
- Summary 2m
- Overview 3m
- Splunk ES-specific Lookups 4m
- Demo: Splunk ES-specific Lookups 10m
- Demo: Creating Search-driven Lookups in Splunk Enterprise Security 8m
- Introduction to Splunk ES Asset and Identity Framework 5m
- Demo: Adding Static Lookups to Asset and Identity Framework 11m
- Demo: Adding Dynamic Lookups to Asset and Identity Framework 12m
- Demo: Asset and Identity Investigator Dashboards 6m
- Summary 2m
About the author
Muhammad Awan is a Senior Splunk Admin in working in Public Sector. Has been associated with Splunk and data science related technologies for a decade. Splunk Certified Admin and Splunk Certified Power User. Microsoft Certified Solutions Exert and Microsoft Certified Solutions Associate (Office 365) MCSA (Messaging). Experience with Networks and Security technologies. He has been mentoring and teaching at various universities as a visiting faculty in the past. Loves to acquire new skills and dis... more