SPLK-3001 Exam - Splunk Enterprise Security Certified Admin Exam

NEW QUESTION 1
Which of the following actions would not reduce the number of false positives from a correlation search?

• A. Reducing the severity.
• B. Removing throttling fields.
• C. Increasing the throttling window.
• D. Increasing threshold sensitivity.

Answer: A

NEW QUESTION 2
To observe what network services are in use in a network’s activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

• A. Intrusion Center
• B. Protocol Analysis
• C. User Intelligence
• D. Threat Intelligence

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/NetworkProtectionDomaindashboards

NEW QUESTION 3
Which settings indicated that the correlation search will be executed as new events are indexed?

• A. Always-On
• B. Real-Time
• C. Scheduled
• D. Continuous

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Configurecorrelationsearches

NEW QUESTION 4
What is the default schedule for accelerating ES Datamodels?

• A. 1 minute
• B. 5 minutes
• C. 15 minutes
• D. 1 hour

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 5
Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

• A. A prefix of CIM_
• B. A suffix of .spl
• C. A prefix of TECH_
• D. A prefix of Splunk_TA_

Answer: D

Explanation:
Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/planintegrationes/

NEW QUESTION 6
The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

• A. Edit the search and modify the notable event status field to make the notable events less urgent.
• B. Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
• C. Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
• D. Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 7
What does the Security Posture dashboard display?

• A. Active investigations and their status.
• B. A high-level overview of notable events.
• C. Current threats being tracked by the SOC.
• D. A display of the status of security tools.

Answer: B

Explanation:
The Security Posture dashboard is designed to provide high-level insight into the notable events across all domains of your deployment, suitable for display in a Security Operations Center (SOC). This dashboard shows all events from the past 24 hours, along with the trends over the past 24 hours, and provides real-time event information and updates.
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/SecurityPosturedashboard

NEW QUESTION 8
Where is it possible to export content, such as correlation searches, from ES?

• A. Content exporter
• B. Configure -> Content Management
• C. Export content dashboard
• D. Settings Menu -> ES -> Export

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Export

NEW QUESTION 9
ES needs to be installed on a search head with which of the following options?

• A. No other apps.
• B. Any other apps installed.
• C. All apps removed except for TA-*.
• D. Only default built-in and CIM-compliant apps.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallEnterpriseSecurity

NEW QUESTION 10
How is notable event urgency calculated?

• A. Asset priority and threat weight.
• B. Alert severity found by the correlation search.
• C. Asset or identity risk and severity found by the correlation search.
• D. Severity set by the correlation search and priority assigned to the associated asset or identity.

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 11
“10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against what in ES?

• A. A user.
• B. A device.
• C. An asset.
• D. An identity.

Answer: B

NEW QUESTION 12
If a username does not match the ‘identity’ column in the identities list, which column is checked next?

• A. Email.
• B. Nickname
• C. IP address.
• D. Combination of Last Name, First Name.

Answer: C

NEW QUESTION 13
Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

• A. Lookup searches.
• B. Summarized data.
• C. Security metrics.
• D. Metrics store searches.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/CreateGlassTable

NEW QUESTION 14
An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

• A. Index consistency.
• B. Data integrity control.
• C. Indexer acknowledgement.
• D. Index access permissions.

Answer: B

Explanation:
Reference: https://answers.splunk.com/answers/790783/anti-tampering-features-to-protect-splunk-logs-the.html

NEW QUESTION 15
Which of the following are examples of sources for events in the endpoint security domain dashboards?

• A. REST API invocations.
• B. Investigation final results status.
• C. Workstations, notebooks, and point-of-sale systems.
• D. Lifecycle auditing of incidents, from assignment to resolution.

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/EndpointProtectionDomaindashboards

NEW QUESTION 16
What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

• A. ess_user
• B. ess_admin
• C. ess_analyst
• D. ess_reviewer

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Triagenotableevents

NEW QUESTION 17
When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

• A. Use new app names each time content is exported.
• B. Do not use the .spl extension when naming an export.
• C. Always include existing and new content for each export.
• D. Either use new app names or always include both existing and new content.

Answer: A

NEW QUESTION 18
Where are attachments to investigations stored?

• A. KV Store
• B. notable index
• C. attachments.csv lookup
• D. <splunk_home>/etc/apps/SA-Investigations/default/ui/views/attachments

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

NEW QUESTION 19
An administrator is asked to configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

• A. Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup
• B. Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
• C. Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup
• D. Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

Answer: D

NEW QUESTION 20
Which of the following is a key feature of a glass table?

• A. Rigidity.
• B. Customization.
• C. Interactive investigations.
• D. Strong data for later retrieval.

Answer: B

NEW QUESTION 21
Who can delete an investigation?

• A. ess_admin users only.
• B. The investigation owner only.
• C. The investigation owner and ess-admin.
• D. The investigation owner and collaborators.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

NEW QUESTION 22
Which of the following is a way to test for a property normalized data model?

• A. Use Audit -> Normalization Audit and check the Errors panel.
• B. Run a | datamodel search, compare results to the CIM documentation for the datamodel.
• C. Run a | loadjob search, look at tag values and compare them to known tags based on the encoding.
• D. Run a | datamodel search and compare the results to the list of data models in the ES normalization guide.

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

NEW QUESTION 23
What is the first step when preparing to install ES?

• A. Install ES.
• B. Determine the data sources used.
• C. Determine the hardware required.
• D. Determine the size and scope of installation.

Answer: D

NEW QUESTION 24
An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

• A. OS: 32 bit, RAM: 16 MB, CPU: 12 cores
• B. OS: 64 bit, RAM: 32 MB, CPU: 12 cores
• C. OS: 64 bit, RAM: 12 MB, CPU: 16 cores
• D. OS: 64 bit, RAM: 32 MB, CPU: 16 cores

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Capacity/Referencehardware

NEW QUESTION 25
......