Splunk Enterprise Security — Tour
Every dashboard, every menu, every concept inside ES
Learning Objectives
- ›Navigate Security Posture, Incident Review, Investigations
- ›Open Security Domains (Access, Endpoint, Network, Identity)
- ›Find Risk Analysis, Threat Activity, and Asset Investigator
- ›Understand the relationship between Splunk Core and ES
Module 1 — What is Splunk ES?
A Splunk app — premium SIEM solution built on top of Splunk Core.
Adds Notable Events, Correlation Searches, Risk-Based Alerting, Threat Intel framework, Asset & Identity, dashboards.
Runs on its own dedicated Search Head (or SHC).
Module 2 — Top-Level Navigation
Security Posture — exec view, KPIs.
Incident Review — analyst queue of Notable Events.
Investigations — case management.
Security Intelligence — Risk Analysis, Threat Activity, Protocol Intelligence, User Intelligence, Web Intelligence.
Security Domains — Access, Endpoint, Network, Identity, Audit (each with Center / Investigator dashboards).
Audit — search activity, suppression audit.
Search — Splunk Core search inside ES.
Configure — content management, settings.
Module 3 — Glass Tables
Real-time canvas dashboards for SOC TV walls and exec view.
Lab 17 — Tour Splunk ES
- Open the Splunk ES lab.
- Click every top-level tab: Posture, Incident Review, Investigations, Security Intelligence, Security Domains, Audit, Search, Configure.
- Open one Notable Event — read every field.
- Find the Risk Analysis dashboard. Identify the top 3 risk objects.
Key Takeaways
- ✓ES is a Splunk app — Core does the work, ES adds detections + workflow
- ✓Incident Review is your home as an analyst
- ✓Risk Analysis is where modern detection lives