Free SPLK-3001 Sample Questions — Splunk Enterprise Security Certified Admin

Which of the following are examples of sources for events in the endpoint security domain dashboards?

• A. REST API invocations
• B. Investigation final results status
• C. Workstations, notebooks, and point-of-sale systems
• D. Lifecycle auditing of incidents, from assignment to resolution

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

• A. Index consistency
• B. Data integrity control
• C. Indexer acknowledgement
• D. Index access permissions

Which columns in the Assets lookup are used to identify an asset in an event?

• A. src, dvc, dest
• B. cidr, port, netbios, saml
• C. ip, mac, dns, nt_host
• D. host, hostname, url, address

When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?

• A. indexes.conf, props.conf, transforms.conf
• B. web.conf, props.conf, transforms.conf
• C. inputs.conf, props.conf, transforms.conf
• D. eventtypes.conf, indexes.conf, tags.conf

What can be exported from ES using the Content Management page?

• A. Only correlation searches, managed lookups, and glass tables
• B. Only correlation searches
• C. Any content type listed in the Content Management page
• D. Only correlation searches, glass tables, and workbench panels

How is it possible to specify an alternate location for accelerated storage?

• A. Use the tStatsHomePath setting in indexes.conf
• B. Update the Home Path setting in indexes.conf
• C. Use the tstatsHomePath setting in props.conf
• D. Configure storage optimization settings for the index

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

• A. ess_user
• B. ess_admin
• C. ess_analyst
• D. ess_reviewer

At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?

• A. When adding apps to the deployment server
• B. Splunk_TA_ForIndexers.spl is installed first
• C. After installing ES on the search head(s) and running the distributed configuration management tool
• D. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command

What should be used to map a non-standard field name to a CIM field name?

• A. Field alias
• B. Search time extraction
• C. Tag
• D. Eventtype

What do threat gen searches produce?

• A. Threat correlation searches
• B. Threat intel in KV Store collections
• C. Events in the threat_activity index
• D. Threat notables in the notable index

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

• A. Nothing, there are no additional steps for add-ons
• B. Configure the add-ons via the Content Management dashboard
• C. Disable the add-ons until they are ready to be used, then enable the add-ons
• D. Configure the add-ons according to their README or documentation

What does the summariesonly=true option do for a correlation search?

• A. Searches only accelerated data
• B. Forwards summary indexes to the indexing tier
• C. Uses a default summary time range
• D. Searches summary indexes only

Where should an ES search head be installed?

• A. On a Splunk server with top level visibility
• B. On any Splunk server
• C. On a server with a new install of Splunk
• D. On a Splunk server running Splunk DB Connect

Which two fields combine to create the Urgency of a notable event?

• A. Priority and Severity
• B. Priority and Criticality
• C. Criticality and Severity
• D. Precedence and Time

How should an administrator add a new lookup through the ES app?

• A. Upload the lookup file in Settings -> Lookups -> Lookup Definitions
• B. Upload the lookup file in Settings -> Lookups -> Lookup table files
• C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
• D. Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Adaptive response action history is stored in which index?

• A. cim_modactions
• B. modular_history
• C. cim_adaptiveactions
• D. modular_action_history

Which of the following is a recommended pre-installation step?

• A. Install the latest Python distribution on the search head
• B. Download the latest version of KV Store from MongoDB.com.
• C. Configure search head forwarding
• D. Disable the default search app

Which of the following is part of tuning correlation searches for a new ES installation?

• A. Configuring correlation permissions
• B. Configuring correlation adaptive responses
• C. Configuring correlation notable event index
• D. Configuring correlation result storage

The option to create a Short ID for a notable event is located where?

• A. The Additional Fields
• B. The Event Details
• C. The Contributing Events
• D. The Description

Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

• A. VIP
• B. Priority
• C. Importance
• D. Criticality