11.11 Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Splunk SPLK-3001 Splunk Enterprise Security Certified Admin Exam Exam Practice Test

Page: 1 / 10
Total 99 questions

Splunk Enterprise Security Certified Admin Exam Questions and Answers

Question 1

Which component normalizes events?

Options:

A.

SA-CIM.

B.

SA-Notable.

C.

ES application.

D.

Technology add-on.

Question 2

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

Options:

A.

Configure the add-ons according to their README or documentation.

B.

Disable the add-ons until they are ready to be used, then enable the add-ons.

C.

Nothing, there are no additional steps for add-ons.

D.

Configure the add-ons via the Content Management dashboard.

Question 3

ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?

Options:

A.

$SPLUNK_HOME/etc/master-apps/

B.

$SPLUNK_HOME/etc/system/local/

C.

$SPLUNK_HOME/etc/shcluster/apps

D.

$SPLUNK_HOME/var/run/searchpeers/

Question 4

Which of the following is a key feature of a glass table?

Options:

A.

Rigidity.

B.

Customization.

C.

Interactive investigations.

D.

Strong data for later retrieval.

Question 5

To observe what network services are in use in a network’s activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

Options:

A.

Intrusion Center

B.

Protocol Analysis

C.

User Intelligence

D.

Threat Intelligence

Question 6

Which two fields combine to create the Urgency of a notable event?

Options:

A.

Priority and Severity.

B.

Priority and Criticality.

C.

Criticality and Severity.

D.

Precedence and Time.

Question 7

Which of the following actions can improve overall search performance?

Options:

A.

Disable indexed real-time search.

B.

Increase priority of all correlation searches.

C.

Reduce the frequency (schedule) of lower-priority correlation searches.

D.

Add notable event suppressions for correlation searches with high numbers of false positives.

Question 8

Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events.

How would the admin restrict these users from being able to change the status of Resolved notable events to Closed?

Options:

A.

In Enterprise Security, give the ess_user role the Own Notable Events permission.

B.

From the Status Configuration window select the Closed status. Remove ess_user from the status

transitions for the Resolved status.

C.

From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.

D.

From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability.

Question 9

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives.

What is a solution for this issue?

Options:

A.

Suppress notable events from that correlation search.

B.

Disable acceleration for the correlation search to reduce storage requirements.

C.

Modify the correlation schedule and sensitivity for your site.

D.

Change the correlation search's default status and severity.

Question 10

Which of the following is an adaptive action that is configured by default for ES?

Options:

A.

Create notable event

B.

Create new correlation search

C.

Create investigation

D.

Create new asset

Question 11

An administrator is asked to configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

Options:

A.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup

B.

Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

C.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup

D.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

Question 12

A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

Options:

A.

Install ES on the existing search head.

B.

Add a new search head and install ES on it.

C.

Increase the number of CPUs and amount of memory on the search head, then install ES.

D.

Delete the non-CIM-compliant apps from the search head, then install ES.

Question 13

Where is detailed information about identities stored?

Options:

A.

The Identity Investigator index.

B.

The Access Anomalies collection.

C.

The User Activity index.

D.

The Identity Lookup CSV file.

Question 14

ES needs to be installed on a search head with which of the following options?

Options:

A.

No other apps.

B.

Any other apps installed.

C.

All apps removed except for TA-*.

D.

Only default built-in and CIM-compliant apps.

Question 15

Both “Recommended Actions” and “Adaptive Response Actions” use adaptive response. How do they differ?

Options:

A.

Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.

B.

Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.

C.

Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.

D.

Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run manually with analyst intervention.

Question 16

Where is it possible to export content, such as correlation searches, from ES?

Options:

A.

Content exporter

B.

Configure -> Content Management

C.

Export content dashboard

D.

Settings Menu -> ES -> Export

Question 17

The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?

Options:

A.

Web

B.

Risk

C.

Performance

D.

Authentication

Question 18

Which data model populated the panels on the Risk Analysis dashboard?

Options:

A.

Risk

B.

Audit

C.

Domain analysis

D.

Threat intelligence

Question 19

The option to create a Short ID for a notable event is located where?

Options:

A.

The Additional Fields.

B.

The Event Details.

C.

The Contributing Events.

D.

The Description.

Question 20

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

Options:

A.

thawedPath

B.

tstatsHomePath

C.

summaryHomePath

D.

warmToColdScript

Question 21

To which of the following should the ES application be uploaded?

Options:

A.

The indexer.

B.

The KV Store.

C.

The search head.

D.

The dedicated forwarder.

Question 22

What kind of value is in the red box in this picture?

Question # 22

Options:

A.

A risk score.

B.

A source ranking.

C.

An event priority.

D.

An IP address rating.

Question 23

What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

Options:

A.

Configure -> Incident Management -> Notable Event Statuses

B.

Configure -> Content Management -> Type: Correlation Search

C.

Configure -> Incident Management -> Incident Review Settings -> Event Management

D.

Configure -> Incident Management -> Incident Review Settings -> Table Attributes

Question 24

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

Options:

A.

Splunk_DS_ForIndexers.spl

B.

Splunk_ES_ForIndexers.spl

C.

Splunk_SA_ForIndexers.spl

D.

Splunk_TA_ForIndexers.spl

Question 25

Which of the following actions would not reduce the number of false positives from a correlation search?

Options:

A.

Reducing the severity.

B.

Removing throttling fields.

C.

Increasing the throttling window.

D.

Increasing threshold sensitivity.

Question 26

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

Options:

A.

ess_user

B.

ess_admin

C.

ess_analyst

D.

ess_reviewer

Question 27

Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?

Options:

A.

VIP

B.

Priority

C.

Importance

D.

Criticality

Question 28

In order to include an event type in a data model node, what is the next step after extracting the correct fields?

Options:

A.

Save the settings.

B.

Apply the correct tags.

C.

Run the correct search.

D.

Visit the CIM dashboard.

Question 29

What is an example of an ES asset?

Options:

A.

MAC address

B.

User name

C.

Server

D.

People

Page: 1 / 10
Total 99 questions