SPLK-3001

99問 • 1年前

Fausto Damian Cadena

通報

問題一覧

The Add-On Builder creates Splunk Apps that start with what?

TA-

Which of the following are examples of sources for events in the endpoint security domain dashboards?

Workstations, notebooks, and point-of-sale systems.

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

$fieldname$

What feature of Enterprise Security downloads threat intelligence data from a web server?

Threat Download Manager

The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?

Authentication

In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?

Run the correct search.

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

ess_analyst

Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

Priority

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

An aggregation.

Which indexes are searched by default for CIM data models?

All indexes

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

tstatsHomePath

Which of the following is a way to test for a property normalized data model?

Run a | datamodel search, compare results to the CIM documentation for the datamodel.

Which argument to the | tstats command restricts the search to summarized data only?

summariesonly=t

When investigating, what is the best way to store a newly-found IOC?

Click the "Add IOC" button.

How is it possible to navigate to the list of currently-enabled ES correlation searches?

Configure -> Content Management -> Select Type "Correlation" and Status "Enabled"

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?

Indexes have different settings.

Which of the following are data models used by ES? (Choose all that apply)

Web, Authentication, Network Traffic

At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

Splunk_TA_ForIndexers.spl is installed first.

Which correlation search feature is used to throttle the creation of notable events?

Window duration.

Both `Recommended Actions` and `Adaptive Response Actions` use adaptive response. How do they differ?

Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.

What does the Security Posture dashboard display?

A high-level overview of notable events.

"10.22.63.159", "websvr4", and "00:26:08:18: CF:1D" would be matched against what in ES?

A device.

How should an administrator add a new lookup through the ES app?

Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

Security metrics.

Which of the following is a key feature of a glass table?

Customization.

An administrator is asked to configure an "Nslookup" adaptive response action, so that it appears as a selectable option in the notable event's action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

Configure -> Incident Management -> Incident Review Settings -> Table Attributes

To observe what network services are in use in a network's activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

Protocol Analysis

Adaptive response action history is stored in which index?

cim_modactions

Which of the following actions would not reduce the number of false positives from a correlation search?

Reducing the severity.

Where is the Add-On Builder available from?

SplunkBase

Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

A prefix of Splunk_TA_

ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?

$SPLUNK_HOME/etc/shcluster/apps

How is notable event urgency calculated?

Severity set by the correlation search and priority assigned to the associated asset or identity.

What kind of value is in the red box in this picture?

A risk score.

Where is it possible to export content, such as correlation searches, from ES?

Configure -> Content Management

Which of the following threat intelligence types can ES download? (Choose all that apply)

STIX/TAXII

A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

Add a new search head and install ES on it.

Enterprise Security's dashboards primarily pull data from what type of knowledge object?

Data models

To which of the following should the ES application be uploaded?

The search head.

If a username does not match the 'identity' column in the identities list, which column is checked next?

Email.

Which of the following features can the Add-on Builder configure in a new add-on?

Normalize data.

What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

100 GB

ES needs to be installed on a search head with which of the following options?

No other apps.

Which settings indicated that the correlation search will be executed as new events are indexed?

Scheduled

Where are attachments to investigations stored?

KV Store

Which data model populated the panels on the Risk Analysis dashboard?

Risk

How is it possible to navigate to the ES graphical Navigation Bar editor?

Configure -> General -> Navigation

An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

OS: 64 bit, RAM: 12 MB, CPU: 16 cores

What tools does the Risk Analysis dashboard provide?

A display of the highest risk assets and identities.

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

Either use new app names or always include both existing and new content.

Who can delete an investigation?

ess_admin users only.

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

Splunk_TA_ForIndexers.spl

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.

Which of the following actions can improve overall search performance?

Reduce the frequency (schedule) of lower-priority correlation searches.

Which of the following ES features would a security analyst use while investigating a network anomaly notable?

Protocol intelligence dashboard.

Which component normalizes events?

SA-CIM.

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

Data integrity control.

What is the first step when preparing to install ES?

Determine the size and scope of installation.

What is the default schedule for accelerating ES Datamodels?

5 minutes

Accelerated data requires approximately how many times the daily data volume of additional storage space per year?

3.4

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

Configure the add-ons according to their README or documentation.

What can be exported from ES using the Content Management page?

Any content type listed in the Content Management page.

Where should an ES search head be installed?

On a server with a new install of Splunk.

Following the installation of ES, an admin configured users with the ess user role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to Closed?

From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.

Which of the following actions may be necessary before installing ES?

Add additional forwarders.

A customer site is experiencing poor performance. The Ul response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives. Which of the following options is most likely to help performance?

Increase memory and CPUs on the search head(s) and add additional indexers.

What should be used to map a non-standard field name to a CIM field name?

Field alias.

Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

Threat intel.

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives. What is a solution for this issue?

Modify the correlation schedule and sensitivity for your site.

Which of the following steps Will make the Threat Activity dashboard the default landing page in ES?

From the Edit Navigation page, drag and drop the Threat Activity View to the top of the page.

When using distributed configuration management to create the Splunk TA Forlndexers package, which three files can be included?

indexes.conf, props.conf, transforms.conf

Which feature contains scenarios that are useful during ES implementation?

Correlation Searches

Where is detailed information about identities stored?

The Identity Lookup CSV file.

The option to create a Short ID for a notable event is located where?

The Event Details.

A newly built custom dashboard needs to be available to a team of security analysts in ES. How is it possible to integrate the new dashboard?

Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu.

What is the bar across the bottom of any ES window?

The Investigation Bar.

Which two fields combine to create the Urgency of a notable event?

Priority and Severity.

What do threat gen searches produce?

Events in the threat activity index.

Which of the following is part of tuning correlation searches for a new ES installation?

Configuring correlation adaptive responses.

Which columns in the Assets lookup are used to identify an asset in an event?Y

ip, mac, dns, nt_host

What does the summariesonly=true option do for a correlation search?

Searches only accelerated data.

Which of the following are the default ports that must be configured for Splunk Enterprise Security to function?

SplunkWeb (8000), splunk Management (8089), KV Store (8191)

What is the main purpose of the Dashboard Requirements Matrix document?

Identifies on which data model(s) each dashboard depends.

Which of the following is a recommended pre-installation step?

Configure search head forwarding.

What are adaptive responses triggered by?

By custom tech add-ons and users on the risk analysis dashboard.

Which of the following is an adaptive action that is configured by default for ES?

Create notable event

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

$fieldname$

Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?

Identities

Which tool is used to update indexers in ES?

indexes.conf

How is it possible to specify an alternate location for accelerated storage?

Use the tStatsHomePath setting in indexes.conf

After managing source types and extracting fields, which key step comes next in the Add-On Builder?

Map to data models.

How does ES know local customer domain names so it can detect internal vs. external emails?

The Corporate Web and Email Domain Lookups are edited during initial configuration.

Which of these is a benefit of data normalization?

Searches can be built no matter the specific source technology for a normalized data type.

A security manager has been working with the executive team en long-range security goals. A primary goal for the team Is to Improve managing user risk in the organization. Which of the following ES features can help identify users accessing inappropriate web sites?

Configuring user and website watchlists so the User Activity dashboard Will highlight unwanted user actions.

Which of the following is a Web Intelligence dashboard?

HTTP Category Analysis

After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?

Normalization to the Splunk Common Information Model.

What is an example of an ES asset?

Server

Analysts have requested the ability to capture and analyze network traffic data. The administrator has researched the documentation and, based on this research, has decided to integrate the Splunk App for Stream with ES. Which dashboards Will now be supported so analysts can View and analyze network Stream data?

Protocol Intelligence dashboards.

Splunk Core Certified Power User.SPLK-1002.ActualTests.2021-01-25.96q

Fausto Damian Cadena · 228問 · 1年前

Splunk Core Certified Power User.SPLK-1002.ActualTests.2021-01-25.96q

228問 • 1年前

Fausto Damian Cadena

問題一覧

The Add-On Builder creates Splunk Apps that start with what?

TA-

Which of the following are examples of sources for events in the endpoint security domain dashboards?

Workstations, notebooks, and point-of-sale systems.

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

$fieldname$

What feature of Enterprise Security downloads threat intelligence data from a web server?

Threat Download Manager

The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?

Authentication

In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?

Run the correct search.

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

ess_analyst

Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

Priority

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

An aggregation.

Which indexes are searched by default for CIM data models?

All indexes

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

tstatsHomePath

Which of the following is a way to test for a property normalized data model?

Run a | datamodel search, compare results to the CIM documentation for the datamodel.

Which argument to the | tstats command restricts the search to summarized data only?

summariesonly=t

When investigating, what is the best way to store a newly-found IOC?

Click the "Add IOC" button.

How is it possible to navigate to the list of currently-enabled ES correlation searches?

Configure -> Content Management -> Select Type "Correlation" and Status "Enabled"

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?

Indexes have different settings.

Which of the following are data models used by ES? (Choose all that apply)

Web, Authentication, Network Traffic

At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

Splunk_TA_ForIndexers.spl is installed first.

Which correlation search feature is used to throttle the creation of notable events?

Window duration.

Both `Recommended Actions` and `Adaptive Response Actions` use adaptive response. How do they differ?

Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.

What does the Security Posture dashboard display?

A high-level overview of notable events.

"10.22.63.159", "websvr4", and "00:26:08:18: CF:1D" would be matched against what in ES?

A device.

How should an administrator add a new lookup through the ES app?

Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

Security metrics.

Which of the following is a key feature of a glass table?

Customization.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

Configure -> Incident Management -> Incident Review Settings -> Table Attributes

To observe what network services are in use in a network's activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

Protocol Analysis

Adaptive response action history is stored in which index?

cim_modactions

Which of the following actions would not reduce the number of false positives from a correlation search?

Reducing the severity.

Where is the Add-On Builder available from?

SplunkBase

Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

A prefix of Splunk_TA_

ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?

$SPLUNK_HOME/etc/shcluster/apps

How is notable event urgency calculated?

Severity set by the correlation search and priority assigned to the associated asset or identity.

What kind of value is in the red box in this picture?

A risk score.

Where is it possible to export content, such as correlation searches, from ES?

Configure -> Content Management

Which of the following threat intelligence types can ES download? (Choose all that apply)

STIX/TAXII

Add a new search head and install ES on it.

Enterprise Security's dashboards primarily pull data from what type of knowledge object?

Data models

To which of the following should the ES application be uploaded?

The search head.

If a username does not match the 'identity' column in the identities list, which column is checked next?

Email.

Which of the following features can the Add-on Builder configure in a new add-on?

Normalize data.

What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

100 GB

ES needs to be installed on a search head with which of the following options?

No other apps.

Which settings indicated that the correlation search will be executed as new events are indexed?

Scheduled

Where are attachments to investigations stored?

KV Store

Which data model populated the panels on the Risk Analysis dashboard?

Risk

How is it possible to navigate to the ES graphical Navigation Bar editor?

Configure -> General -> Navigation

An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

OS: 64 bit, RAM: 12 MB, CPU: 16 cores

What tools does the Risk Analysis dashboard provide?

A display of the highest risk assets and identities.

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

Either use new app names or always include both existing and new content.

Who can delete an investigation?

ess_admin users only.

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

Splunk_TA_ForIndexers.spl

Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.

Which of the following actions can improve overall search performance?

Reduce the frequency (schedule) of lower-priority correlation searches.

Which of the following ES features would a security analyst use while investigating a network anomaly notable?

Protocol intelligence dashboard.

Which component normalizes events?

SA-CIM.

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

Data integrity control.

What is the first step when preparing to install ES?

Determine the size and scope of installation.

What is the default schedule for accelerating ES Datamodels?

5 minutes

Accelerated data requires approximately how many times the daily data volume of additional storage space per year?

3.4

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

Configure the add-ons according to their README or documentation.

What can be exported from ES using the Content Management page?

Any content type listed in the Content Management page.

Where should an ES search head be installed?

On a server with a new install of Splunk.

From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.

Which of the following actions may be necessary before installing ES?

Add additional forwarders.

Increase memory and CPUs on the search head(s) and add additional indexers.

What should be used to map a non-standard field name to a CIM field name?

Field alias.

Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

Threat intel.

Modify the correlation schedule and sensitivity for your site.

Which of the following steps Will make the Threat Activity dashboard the default landing page in ES?

From the Edit Navigation page, drag and drop the Threat Activity View to the top of the page.

When using distributed configuration management to create the Splunk TA Forlndexers package, which three files can be included?

indexes.conf, props.conf, transforms.conf

Which feature contains scenarios that are useful during ES implementation?

Correlation Searches

Where is detailed information about identities stored?

The Identity Lookup CSV file.

The option to create a Short ID for a notable event is located where?

The Event Details.

A newly built custom dashboard needs to be available to a team of security analysts in ES. How is it possible to integrate the new dashboard?

Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu.

What is the bar across the bottom of any ES window?

The Investigation Bar.

Which two fields combine to create the Urgency of a notable event?

Priority and Severity.

What do threat gen searches produce?

Events in the threat activity index.

Which of the following is part of tuning correlation searches for a new ES installation?

Configuring correlation adaptive responses.

Which columns in the Assets lookup are used to identify an asset in an event?Y

ip, mac, dns, nt_host

What does the summariesonly=true option do for a correlation search?

Searches only accelerated data.

Which of the following are the default ports that must be configured for Splunk Enterprise Security to function?

SplunkWeb (8000), splunk Management (8089), KV Store (8191)

What is the main purpose of the Dashboard Requirements Matrix document?

Identifies on which data model(s) each dashboard depends.

Which of the following is a recommended pre-installation step?

Configure search head forwarding.

What are adaptive responses triggered by?

By custom tech add-ons and users on the risk analysis dashboard.

Which of the following is an adaptive action that is configured by default for ES?

Create notable event

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

$fieldname$

Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?

Identities

Which tool is used to update indexers in ES?

indexes.conf

How is it possible to specify an alternate location for accelerated storage?

Use the tStatsHomePath setting in indexes.conf

After managing source types and extracting fields, which key step comes next in the Add-On Builder?

Map to data models.

How does ES know local customer domain names so it can detect internal vs. external emails?

The Corporate Web and Email Domain Lookups are edited during initial configuration.

Which of these is a benefit of data normalization?

Searches can be built no matter the specific source technology for a normalized data type.

Configuring user and website watchlists so the User Activity dashboard Will highlight unwanted user actions.

Which of the following is a Web Intelligence dashboard?

HTTP Category Analysis

After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?

Normalization to the Splunk Common Information Model.

What is an example of an ES asset?

Server

Protocol Intelligence dashboards.