Pre-Winter Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Splunk SPLK-3001 Dumps

Page: 1 / 7
Total 99 questions

Splunk Enterprise Security Certified Admin Exam Questions and Answers

Question 1

A security manager has been working with the executive team en long-range security goals. A primary goal for the team Is to Improve managing user risk in the organization. Which of the following ES features can help identify users accessing inappropriate web sites?

Options:

A.

Configuring the identities lookup with user details to enrich notable event Information for forensic analysis.

B.

Make sure the Authentication data model contains up-to-date events and is properly accelerated.

C.

Configuring user and website watchlists so the User Activity dashboard will highlight unwanted user actions.

D.

Use the Access Anomalies dashboard to identify unusual protocols being used to access corporate sites.

Buy Now
Question 2

What does the Security Posture dashboard display?

Options:

A.

Active investigations and their status.

B.

A high-level overview of notable events.

C.

Current threats being tracked by the SOC.

D.

A display of the status of security tools.

Question 3

Which component normalizes events?

Options:

A.

SA-CIM.

B.

SA-Notable.

C.

ES application.

D.

Technology add-on.

Question 4

Which of the following actions can improve overall search performance?

Options:

A.

Disable indexed real-time search.

B.

Increase priority of all correlation searches.

C.

Reduce the frequency (schedule) of lower-priority correlation searches.

D.

Add notable event suppressions for correlation searches with high numbers of false positives.

Question 5

What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

Options:

A.

50 GB

B.

100 GB

C.

300 GB

D.

500 MB

Question 6

How should an administrator add a new look up through the ES app?

Options:

A.

Upload the lookup file in Settings -> Lookups -> Lookup Definitions

B.

Upload the lookup file in Settings -> Lookups -> Lookup table files

C.

Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups

D.

Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Question 7

Where is the Add-On Builder available from?

Options:

A.

GitHub

B.

SplunkBase

D.

The ES installation package

Question 8

How is it possible to specify an alternate location for accelerated storage?

Options:

A.

Configure storage optimization settings for the index.

B.

Update the Home Path setting in indexes, conf

C.

Use the tstatsHomePath setting in props, conf

D.

Use the tstatsHomePath Setting in indexes, conf

Question 9

Following the Installation of ES, an admin configured Leers with the ©ss_uso r role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to closed?

Options:

A.

From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.

B.

From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.

C.

In Enterprise Security, give the ess_user role the own Notable Events permission.

D.

From Splunk Access Controls, select the ess_user role and remove the edit_notabie_events capability.

Question 10

After managing source types and extracting fields, which key step comes next In the Add-On Builder?

Options:

A.

Validate and package

B.

Configure data collection.

C.

Create alert actions.

D.

Map to data models.

Question 11

Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

Options:

A.

Lookup searches.

B.

Summarized data.

C.

Security metrics.

D.

Metrics store searches.

Question 12

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?

Options:

A.

Indexes might crash.

B.

Indexes might be processing.

C.

Indexes might not be reachable.

D.

Indexes have different settings.

Question 13

Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events.

How would the admin restrict these users from being able to change the status of Resolved notable events to Closed?

Options:

A.

In Enterprise Security, give the ess_user role the Own Notable Events permission.

B.

From the Status Configuration window select the Closed status. Remove ess_user from the status

transitions for the Resolved status.

C.

From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.

D.

From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability.

Question 14

Where is detailed information about identities stored?

Options:

A.

The Identity Investigator index.

B.

The Access Anomalies collection.

C.

The User Activity index.

D.

The Identity Lookup CSV file.

Question 15

Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

Options:

A.

A prefix of CIM_

B.

A suffix of .spl

C.

A prefix of TECH_

D.

A prefix of Splunk_TA_

Question 16

Which of the following is a key feature of a glass table?

Options:

A.

Rigidity.

B.

Customization.

C.

Interactive investigations.

D.

Strong data for later retrieval.

Question 17

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

Options:

A.

Index consistency.

B.

Data integrity control.

C.

Indexer acknowledgement.

D.

Index access permissions.

Question 18

In order to include an event type in a data model node, what is the next step after extracting the correct fields?

Options:

A.

Save the settings.

B.

Apply the correct tags.

C.

Run the correct search.

D.

Visit the CIM dashboard.

Question 19

What should be used to map a non-standard field name to a CIM field name?

Options:

A.

Field alias.

B.

Search time extraction.

C.

Tag.

D.

Eventtype.

Question 20

Which of the following are examples of sources for events in the endpoint security domain dashboards?

Options:

A.

REST API invocations.

B.

Investigation final results status.

C.

Workstations, notebooks, and point-of-sale systems.

D.

Lifecycle auditing of incidents, from assignment to resolution.

Question 21

What kind of value is in the red box in this picture?

Options:

A.

A risk score.

B.

A source ranking.

C.

An event priority.

D.

An IP address rating.

Question 22

The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?

Options:

A.

Web

B.

Risk

C.

Performance

D.

Authentication

Question 23

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

Options:

A.

thawedPath

B.

tstatsHomePath

C.

summaryHomePath

D.

warmToColdScript

Question 24

Which of the following features can the Add-on Builder configure in a new add-on?

Options:

A.

Expire data.

B.

Normalize data.

C.

Summarize data.

D.

Translate data.

Question 25

What is the bar across the bottom of any ES window?

Options:

A.

The Investigator Workbench.

B.

The Investigation Bar.

C.

The Analyst Bar.

D.

The Compliance Bar.

Question 26

The Add-On Builder creates Splunk Apps that start with what?

Options:

A.

DA-

B.

SA-

C.

TA-

D.

App-

Question 27

ES needs to be installed on a search head with which of the following options?

Options:

A.

No other apps.

B.

Any other apps installed.

C.

All apps removed except for TA-*.

D.

Only default built-in and CIM-compliant apps.

Question 28

Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?

Options:

A.

Administrative Identities

B.

Local User Intel

C.

Identities

D.

Privileged Accounts

Question 29

Which data model populated the panels on the Risk Analysis dashboard?

Options:

A.

Risk

B.

Audit

C.

Domain analysis

D.

Threat intelligence

Page: 1 / 7
Total 99 questions