A Splunk Certified Enterprise Security Admin manages a Splunk Enterprise Security environment, including ES event processing and normalization, deployment requirements, technology add-ons, settings, risk analysis settings, threat intelligence and protocol intelligence configuration, and customizations. This certification demonstrates an individual’s ability to install, configure, and manage a Splunk Enterprise Security deployment.
Please note: There are two approved coursework paths for this certification track. Candidates may complete either Splunk Enterprise System Administration and Splunk Enterprise Data Administration or Splunk Cloud Administration as part of this certification track. All courses are linked below for reference. These prerequisite courses are highly recommended, but not required for candidates to register for the certification exam.
Splunk Enterprise System Administration
This 2 virtual day course is designed for system administrators who manage a Splunk Enterprise environment. Topics include Splunk license manager, indexers and search heads, configuration, management, and monitoring.
Splunk Enterprise Data Administration
This 3 virtual day course is for data administrators who are responsible for getting data into Splunk. The course provides content about Splunk forwarders and methods to get remote data into Splunk.
Splunk Cloud Administration
This 3 virtual day course prepares administrators to manage users and get data in to Splunk Cloud. Topics include data inputs and forwarder configuration, data management, user accounts, and basic monitoring.
Administering the Splunk App for Enterprise Security
This 3 virtual day course prepares architects and systems administrators to install, configure and manage the Splunk App for Enterprise Security.
opendevelopmentplatform
CERTIFICATION EXAM
It’s time to put your knowledge to the test.
Our Exam Registration Tutorial will guide you through the registration process and the Splunk Certification Exams Study Guide will guide your study efforts.
Good luck!
Course Objectives
Module 1 -Introduction to Data Administration
Splunk overview
Identify Splunk data administrator role
Module 2 – Getting Data In – Staging
List the four phases of Splunk Index
List Splunk input options
Describe the band settings for an input
Module 3 – Configuring Forwarders
Understand the role of production Indexers and Forwarders
Understand the functionality of Universal Forwarders and Heavy Forwarders
ConfigureForwarders
Identify additional Forwarder options
Module 4 – Forwarder Management
Explain the use of Forwarder Management
Describe Splunk Deployment Server
Manage forwarders using deployment apps
Configure deployment clients
Configure client groups
Monitor forwarder management activities
Module 5 – Monitor Inputs
Create file and directory monitor inputs
Use optional settings for monitor inputs
Deploy a remote monitor input
Module 6 – Network and Scripted Inputs
Create network (TCP and UDP) inputs
Describe optional settings for network inputs
Create a basic scripted input
Module 7 – Agentless Inputs
Identify Windows input types and uses
Understand additional options to get data into Splunk
https: Event Collector
Splunk App for Stream
Module 8 – Fine Tuning Inputs
Understand the default processing that occurs during input phase
Configure input phase options, such as sourcetype fine-tuning and character set encoding
Module 9 – Parsing Phase and Data
Understand the default processing that occurs during parsing
Optimize and configure event line breaking
Explain how timestamps and time zones are extracted or assigned to events
Use Data Preview to validate event creation during the parsing phase
Module 10 – Manipulating Raw Data
Explain how data transformations are defined and invoked
Use transformations with props.conf and transforms.conf to:
Mask or delete raw data as it is being indexed
Override sourcetype or host based upon event values
Route events to specific indexes based on event content
Prevent unwanted events from being indexed
Use SEDCMD to modify raw data
Module 11 – Supporting Knowledge Objects
Create field extractions
Configure collections for KV Store
Manage Knowledge Object permissions
Control automatic field extraction
Module 12 – Creating a Diag
Identify Splunk diag
Using Splunk diag
Course Objectives
Module 1 – Splunk Cloud Overview
Describe Cloud topology
Describe tasks managed by the Splunk cloud administrator
List the primary differences between Splunk Cloud and Splunk Enterprise
Module 2 – Index Management
Define a Splunk Index
Create indexes in cloud
Delete data from an index
Monitor indexing activities
Module 3 – User Authentication and Authorization
Administer Splunk user roles
Integrate Splunk with LDAP, Active Directory, or SAML
Enable Duo security Multi Factor Authentication (MFA)
Module 4 – Getting Data in
List Splunk input options
Describe the basic settings for an input
Review Splunk configuration files
Use a test environment to verify data
Module 5 – Getting Data in Cloud
List Splunk forwarder types
Describe the role of forwarders
Configure a forwarder to Splunk Cloud
Test the forwarder connection
Describe optional forwarder settings
Module 6 – Forwarder Management
Describe Splunk Deployment Server
Explain the use of forwarder management
Configure forwarders to be deployment clients
Managing forwarders using deployment apps
Module 7 – Monitor Inputs
Describe the Splunk process for inputting data
Create file and directory monitor inputs
Use optional settings for monitor inputs
Module 8 – Network and Other Inputs
Create network (TCP and UDP) inputs
Create a basic scripted input
Describe optional settings for network inputs
Identify Windows input types and uses
Use the https: Event Collector (HEC) to get data into Splunk
Module 9 – Fine-tuning Inputs
Describe the default processing that occurs during the input phase
Configure input phase options, such as sourcetype fine-tuning and character set encoding
Module 10 – Parsing Phase and Data Preview
Describe the default processing that occurs during parsing
Optimize and configure event line breaking
Explain how timestamps and time zones are extracted or assigned to events
Use Data Preview to validate event creation during the parsing phase
Module 11 – Manipulating Raw Data
Explain how data transformations are defined and invoked
Use transformations with props.conf and transforms.conf to modify raw data
Use SECCMD to modify raw data
Module 12 – Installing and Managing Apps
Describe self-service app installs vs. manual app installs
Provide steps to install apps
Describe how apps are managed
Module 13 – Working with Splunk Cloud Support
Isolate problems before contacting Splunk Cloud Support
Define the process for working with Splunk Cloud Support
Course Objectives
Module 1 – ES Introduction
Overview of ES features and concepts
Module 2 – Monitoring and Investigation
Security Posture
Incident Review
Notable events management
Module 3 – Security Intelligence
Overview of security intel tools
Module 4 – Forensics, Glass Tables and Navigation Control
Explore forensics dashboards
Examine glass tables
Configure navigation and dashboard permissions
Module 5 – ES Deployment
Identify deployment topologies
Examine the deployment checklist
Understand indexing strategy for ES
Understand ES Data Models
Module 6 – Installation and Configuration
Prepare a Splunk environment for installation
Download and install ES on a search head
Test a new install
Understand ES Splunk user accounts and roles
Post-install configuration tasks
Module 7 – Validating ES Data
Plan ES inputs
Configure technology add-ons
Module 8 – Custom Add-ons
Design a new add-on for custom data
Use the Add-on Builder to build a new add-on
Module 9 – Tuning Correlation Searches
Configure correlation search scheduling and sensitivity
Tune ES correlation searches
Module 10 – Creating Correlation Searches
Create a custom correlation search
Configuring adaptive responses
Search export/import
Module 11 – Lookups and Identity Management
Identify ES-specific lookups
Understand and configure lookup lists
Module 12 – Threat Intelligence Framework
Understand and configure threat intelligence
Configure user activity analysis
QUESTION 1
The Add-On Builder creates Splunk Apps that start with what?
A. DAB.
B. SAC.
C .TAD.
D. App-
Correct Answer: C
QUESTION 2
Which of the following are examples of sources for events in the endpoint security domain dashboards?
A. REST API invocations.
B. Investigation final results status.
C. Workstations, notebooks, and point-of-sale systems.
D. Lifecycle auditing of incidents, from assignment to resolution.
Correct Answer: D
QUESTION 3
When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?
A. $fieldname$
B. “fieldname”
C. %fieldname%
D. _fieldname_
Correct Answer: C
Actualkey SPLK-3001 Splunk Enterprise, Certkingdom SPLK-3001 Splunk Enterprise PDF
Best SPLK-3001 Splunk Enterprise Certification, SPLK-3001 Splunk Enterprise Training at certkingdom.com