SPLK-3001 Practice Test Questions – Splunk Enterprise Security Certified Admin

SPLK-3001 Splunk Enterprise Security Certified Admin is new available, PassQuestion provides you the latest SPLK-3001 Practice Test Questions which contain all the real SPLK-3001 questions and answers to help you well prepared for your test. You can practice in the following SPLK-3001 free questions for reference.

Splunk Enterprise Security Certified Admin exam is an 57-minute, 66-question assessment which evaluates a candidate’s knowledge and skills in the installation, configuration, and management of Splunk Enterprise Security. Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of 60 minutes.

SPLK-3001 Practice Test Questions – Splunk Enterprise Security Certified Admin

1. The Add-On Builder creates Splunk Apps that start with what?

App-

2. Which of the following are examples of sources for events in the endpoint security domain dashboards?

REST API invocations.

Investigation final results status.

Workstations, notebooks, and point-of-sale systems.

Lifecycle auditing of incidents, from assignment to resolution.

3. When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

$fieldname$

“fieldname”

%fieldname%

_fieldname_

4. What feature of Enterprise Security downloads threat intelligence data from a web server?

Threat Service Manager

Threat Download Manager

Threat Intelligence Parser

Threat Intelligence Enforcement

5. The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data.

What data model should be checked for potential errors such as skipped searches?

Web

Risk

Performance

Authentication

6. In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?

Save the settings.

Apply the correct tags.

Run the correct search.

Visit the CIM dashboard.

7. What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

ess_user

ess_admin

ess_analyst

ess_reviewer

8. Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?

VIP

Priority

Importance

Criticality

9. What does the risk framework add to an object (user, server or other type) to indicate increased risk?

An urgency.

A risk profile.

An aggregation.

A numeric score.

10. Which indexes are searched by default for CIM data models?

notableand default

summaryand notable

_internaland summary

All indexes

11. The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data.

What data model should be checked for potential errors such as skipped searches?

Web

Risk

Performance

Authentication

12. Which of the following actions can improve overall search performance?

Disable indexed real-time search.

Increase priority of all correlation searches.

Reduce the frequency (schedule) of lower-priority correlation searches.

Add notable event suppressions for correlation searches with high numbers of false positives.

13. Which feature contains scenarios that are useful during ES Implementation?

Use Case Library

Correlation Searches

Predictive Analytics

Adaptive Responses

14. Following the Installation of ES, an admin configured Leers with the ©ss_uso r role the ability to close notable events.

How would the admin restrict these users from being able to change the status of Resolved notable events to closed?

From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.

From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.

In Enterprise Security, give the ess_user role the own Notable Events permission.

From Splunk Access Controls, select the ess_user role and remove the edit_notabie_events capability.

15. How is it possible to navigate to the list of currently-enabled ES correlation searches?

Configure -> Correlation Searches -> Select Status “Enabled”

Settings -> Searches, Reports, and Alerts -> Filter by Name of “Correlation”

Configure -> Content Management -> Select Type “Correlation” and Status “Enabled”

Settings -> Searches, Reports, and Alerts -> Select App of “SplunkEnterpriseSecuritySuite” and filter by “- Rule”

16. What is the first step when preparing to install ES?

Install E

Determine the data sources used.

Determine the hardware required.

Determine the size and scope of installation.

17. Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

A prefix of CIM_

A suffix of .spl

A prefix of TECH_

A prefix of Splunk_TA_

18. Where is it possible to export content, such as correlation searches, from ES?

Content exporter

Configure -> Content Management

Export content dashboard

Settings Menu -> ES -> Export

19. “10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against what in ES?

A user.

A device.

An asset.

An identity.

20. A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance.

What is the best practice for installing ES?

Install ES on the existing search head.

Add a new search head and install ES on it.

Increase the number of CPUs and amount of memory on the search head, then install E

Delete the non-CIM-compliant apps from the search head, then install E

21. Where is the Add-On Builder available from?

GitHub

SplunkBase

www.splunk.com

The ES installation package

22. Which of the following are the default ports that must be configured for Splunk Enterprise Security to function?

SplunkWeb (8068), Splunk Management (8089), KV Store (8000)

SplunkWeb (8390), Splunk Management (8323), KV Store (8672)

SplunkWeb (8000), Splunk Management (8089), KV Store (8191)

SplunkWeb (8043), Splunk Management (8088), KV Store (8191)

23. Adaptive response action history is stored in which index?

cim_modactions

modular_history

cim_adaptiveactions

modular_action_history

24. Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?

Indexes might crash.

Indexes might be processing.

Indexes might not be reachable.

Indexes have different settings.

25. If a username does not match the ‘identity’ column in the identities list, which column is checked next?

Email.

Nickname

IP address.

Combination of Last Name, First Name.

26. What is the bar across the bottom of any ES window?

The Investigator Workbench.

The Investigation Bar.

The Analyst Bar.

The Compliance Bar.

27. After managing source types and extracting fields, which key step comes next In the Add-On Builder?

Validate and package

Configure data collection.

Create alert actions.

Map to data models.

28. Which argument to the | tstats command restricts the search to summarized data only?

summaries=t

summaries=all

summariesonly=t

summariesonly=all

29. Where should an ES search head be installed?

On a Splunk server running Splunk DB Connect.

On a Splunk server with top level visibility.

On a server with a new install of Splunk.

On any Splunk server.

30. When investigating, what is the best way to store a newly-found IOC?

Paste it into Notepad.

Click the “Add IOC” button.

Click the “Add Artifact” button.

Add it in a text note to the investigation.

31. Which of the following threat intelligence types can ES download? (Choose all that apply)

Text

STIX/TAXII

VulnScanSPL

SplunkEnterpriseThreatGenerator

32. Which correlation search feature is used to throttle the creation of notable events?

Schedule priority.

Window interval.

Window duration.

Schedule windows.

33. At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

When adding apps to the deployment server.

Splunk_TA_ForIndexers.spl is installed first.

After installing ES on the search head(s) and running the distributed configuration management tool.

Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

34. Which of the following features can the Add-on Builder configure in a new add-on?

Expire data.

Normalize data.

Summarize data.

Translate data.

35. Analysts have requested the ability to capture and analyze network traffic data. The administrator has researched the documentation and, based on this research, has decided to integrate the Splunk App for Stream with ES.

Which dashboards will now be supported so analysts can view and analyze network Stream data?

Endpoint dashboards.

User Intelligence dashboards.

Protocol Intelligence dashboards.

Web Intelligence dashboards.

SPLK-3001 Practice Test Questions – Splunk Enterprise Security Certified Admin

SPLK-3001 Practice Test Questions – Splunk Enterprise Security Certified Admin

Leave a Reply Cancel reply