New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Splunk SPLK-3001 Splunk Enterprise Security Certified Admin Exam Exam Practice Test

Page: 1 / 10
Total 99 questions

Splunk Enterprise Security Certified Admin Exam Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

Where is detailed information about identities stored?

Options:

A.

The Identity Investigator index.

B.

The Access Anomalies collection.

C.

The User Activity index.

D.

The Identity Lookup CSV file.

Question 2

A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives.

Which of the following options is most likely to help performance?

Options:

A.

Change the search heads to do local indexing of summary searches.

B.

Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.

C.

Increase memory and CPUs on the search head(s) and add additional indexers.

D.

If indexed realtime search is enabled, disable it for the notable index.

Question 3

ES needs to be installed on a search head with which of the following options?

Options:

A.

No other apps.

B.

Any other apps installed.

C.

All apps removed except for TA-*.

D.

Only default built-in and CIM-compliant apps.

Question 4

The Add-On Builder creates Splunk Apps that start with what?

Options:

A.

DA-

B.

SA-

C.

TA-

D.

App-

Question 5

Accelerated data requires approximately how many times the daily data volume of additional storage space per year?

Options:

A.

3.4

B.

5.7

C.

1.0

D.

2.5

Question 6

What tools does the Risk Analysis dashboard provide?

Options:

A.

High risk threats.

B.

Notable event domains displayed by risk score.

C.

A display of the highest risk assets and identities.

D.

Key indicators showing the highest probability correlation searches in the environment.

Question 7

Which of the following features can the Add-on Builder configure in a new add-on?

Options:

A.

Expire data.

B.

Normalize data.

C.

Summarize data.

D.

Translate data.

Question 8

Which of the following steps will make the Threat Activity dashboard the default landing page in ES?

Options:

A.

From the Edit Navigation page, drag and drop the Threat Activity view to the top of the page.

B.

From the Preferences menu for the user, select Enterprise Security as the default application.

C.

From the Edit Navigation page, click the 'Set this as the default view" checkmark for Threat Activity.

D.

Edit the Threat Activity view settings and checkmark the Default View option.

Question 9

Which two fields combine to create the Urgency of a notable event?

Options:

A.

Priority and Severity.

B.

Priority and Criticality.

C.

Criticality and Severity.

D.

Precedence and Time.

Question 10

The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?

Options:

A.

Web

B.

Risk

C.

Performance

D.

Authentication

Question 11

What are adaptive responses triggered by?

Options:

A.

By correlation searches and users on the incident review dashboard.

B.

By correlation searches and custom tech add-ons.

C.

By correlation searches and users on the threat analysis dashboard.

D.

By custom tech add-ons and users on the risk analysis dashboard.

Question 12

At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

Options:

A.

When adding apps to the deployment server.

B.

Splunk_TA_ForIndexers.spl is installed first.

C.

After installing ES on the search head(s) and running the distributed configuration management tool.

D.

Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

Question 13

After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?

Options:

A.

Applying Tags.

B.

Normalization to Customer Standard.

C.

Normalization to the Splunk Common Information Model.

D.

Extracting Fields.

Question 14

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

Options:

A.

Edit the search and modify the notable event status field to make the notable events less urgent.

B.

Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.

C.

Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.

D.

Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Question 15

Which of these Is a benefit of data normalization?

Options:

A.

Reports run faster because normalized data models can be optimized for better performance.

B.

Dashboards take longer to build.

C.

Searches can be built no matter the specific source technology for a normalized data type.

D.

Forwarder-based inputs are more efficient.

Question 16

Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events.

How would the admin restrict these users from being able to change the status of Resolved notable events to Closed?

Options:

A.

In Enterprise Security, give the ess_user role the Own Notable Events permission.

B.

From the Status Configuration window select the Closed status. Remove ess_user from the status

transitions for the Resolved status.

C.

From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.

D.

From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability.

Question 17

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

Options:

A.

An urgency.

B.

A risk profile.

C.

An aggregation.

D.

A numeric score.

Question 18

How is it possible to specify an alternate location for accelerated storage?

Options:

A.

Configure storage optimization settings for the index.

B.

Update the Home Path setting in indexes, conf

C.

Use the tstatsHomePath setting in props, conf

D.

Use the tstatsHomePath Setting in indexes, conf

Question 19

An administrator is asked to configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

Options:

A.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup

B.

Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

C.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup

D.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

Question 20

Which of the following are examples of sources for events in the endpoint security domain dashboards?

Options:

A.

REST API invocations.

B.

Investigation final results status.

C.

Workstations, notebooks, and point-of-sale systems.

D.

Lifecycle auditing of incidents, from assignment to resolution.

Question 21

After managing source types and extracting fields, which key step comes next In the Add-On Builder?

Options:

A.

Validate and package

B.

Configure data collection.

C.

Create alert actions.

D.

Map to data models.

Question 22

Which of the following is a way to test for a property normalized data model?

Options:

A.

Use Audit -> Normalization Audit and check the Errors panel.

B.

Run a | datamodel search, compare results to the CIM documentation for the datamodel.

C.

Run a | loadjob search, look at tag values and compare them to known tags based on the encoding.

D.

Run a | datamodel search and compare the results to the list of data models in the ES normalization guide.

Question 23

How should an administrator add a new look up through the ES app?

Options:

A.

Upload the lookup file in Settings -> Lookups -> Lookup Definitions

B.

Upload the lookup file in Settings -> Lookups -> Lookup table files

C.

Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups

D.

Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Question 24

What does the Security Posture dashboard display?

Options:

A.

Active investigations and their status.

B.

A high-level overview of notable events.

C.

Current threats being tracked by the SOC.

D.

A display of the status of security tools.

Question 25

Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

Options:

A.

Lookup searches.

B.

Summarized data.

C.

Security metrics.

D.

Metrics store searches.

Question 26

Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

Options:

A.

Security domains.

B.

Threat intel.

C.

Assets.

D.

Domains.

Question 27

Which of the following is a Web Intelligence dashboard?

Options:

A.

Network Center

B.

Endpoint Center

C.

HTTP Category Analysis

D.

stream: http Protocol dashboard

Question 28

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?

Options:

A.

Indexes might crash.

B.

Indexes might be processing.

C.

Indexes might not be reachable.

D.

Indexes have different settings.

Question 29

Both “Recommended Actions” and “Adaptive Response Actions” use adaptive response. How do they differ?

Options:

A.

Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.

B.

Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.

C.

Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.

D.

Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run manually with analyst intervention.

Page: 1 / 10
Total 99 questions