Administering Splunk Enterprise Security (SP-ASES)|System Source

The course covers ES event processing and normalization, deployment requirements, technology add-ons, dashboard dependencies, data models, managing risk, and customizing threat intelligence.


12/04/25 - FLV - Virtual-Instructor Led - Virtual Instructor-Led	(click to enroll)

Provide an overview of Splunk Enterprise Security (ES)
Customize ES dashboards
Examine the ES Risk framework and Risk-based Alerting (RBA)
Customize the Investigation Workbench
Understand initial ES installation and configuration
Manage data intake and normalization for ES
Create and tune correlation searches
Configure ES lookups
Configure Assets & Identities and Threat Intelligence

Module 1 – Introduction to ES

Review how ES functions
Understand how ES uses data models
Describe correlation searches, adaptive response actions, and notable events
Configure ES roles and permissions

Module 2 – Security Monitoring

Customize the Security Posture and Incident Review dashboards
Create ad hoc notable events
Create notable event suppressions

Module 3 – Risk-Based Alerting

Give an overview of Risk-Based Alerting (RBA)
Explain risk scores and how they can be changed
Review the Risk Analysis dashboard
Describe annotations
View Risk Notables and risk information

Module 4 – Incident Investigation

Review the Investigations dashboard
Customize the Investigation Workbench
Manage investigations

Module 5 – Installation

Give an overview of general ES install requirements
Explain the different add-ons and where they are installed
Provide ES pre-installation requirements
Identify steps for downloading and installing ES

Module 6 – General Configuration

Set general configuration options
Configure local and cloud domain information
Work with the Incident Review KV Store
Customize navigation
Configure Key Indicator searches

Module 7 – Validating ES Data

Verify data is correctly configured for use in ES
Validate normalization configurations
Install additional add-ons

Module 8 – Custom Add-ons

Ingest custom data in ES
Create an add-on for a custom sourcetype
Describe add-on troubleshooting

Module 9 – Tuning Correlation Searches

Describe correlation search operation
Customize correlation searches
Describe numeric vs. conceptual thresholds

Module 10 – Creating Correlation Searches

Create a custom correlation search
Manage adaptive responses
Export/import content

Module 11 – Asset & Identity Management

Review the Asset and Identity Management interface
Describe Asset and Identity KV Store collections
Configure and add asset and identity lookups to the interface
Configure settings and fields for asset and identity lookups
Explain the asset and identity merge process
Describe the process for retrieving LDAP data for an asset or identity lookup

To be successful, students should have a solid understanding of the following courses:

To be successful, students should have a solid understanding of the following courses:
Using Splunk Enterprise Security (USES)
Intro to Splunk (ITS)
Using Fields (SUF)
Intro to Knowledge Objects (IKO)
Creating Knowledge Objects (CKO)
Creating Field Extractions (CFE)
Enriching Data with Lookups (EDL)
Data Models (SDM)
Splunk Enterprise System Administration (SESA)
Splunk Enterprise Data Administration (SEDA)

This course is part of the following Certifications:

Splunk Enterprise Security Certified Admin

This 13.5-hour course prepares architects and systems administrators to install and configure Splunk Enterprise Security (ES).

Administering Splunk Enterprise Security (SP-ASES)

Course Overview

Scheduled Classes

What You'll Learn

Outline