SPLK-3001 Practice Exam Questions with Answers Splunk Enterprise Security Certified Admin Exam Certification

Adaptive responses are actions that can be performed in response to notable events or other security incidents. Adaptive responses can be triggered by correlation searches and users on the incident review dashboard. Correlation searches are scheduled searches that run periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. Users can configure correlation searches to trigger adaptive responses automatically when a notable event is created. Users can also run adaptive responses manually from the incident review dashboard, which displays the notable events and their details. Users can select one or more notable events and choose an adaptive response action from the menu. Adaptive responses can help users to gather information, modify the environment, or take other actions to investigate and respond to security incidents. References =

• Adaptive Response Framework overview
• Run Adaptive Response actions from the Incident Review dashboard

In order to include an eventtype in a data model node, you need to apply the correct tags to the eventtype. Tags are labels that you can assign to event types to identify them as belonging to a specific category or domain. Tags are used by data models to map event types to data model nodes. For example, if you have an eventtype named windows_performance that contains events related to Windows performance metrics, you can tag it with performance and os. Then, you can include the eventtype in a data model node that matches those tags, such as the Performance node in the Operating System data model12. To apply tags to an eventtype, you can use the Settings > Event types page in Splunk Web, or the eventtypes.conf and tags.conf configuration files3. References = 1: About data models - Splunk Documentation - How data models use tags. 2: Use tags to map event types to data model nodes - Splunk Documentation. 3: About event types - Splunk Documentation - Tag event types.

 According to the Splunk Enterprise Security documentation, the Create Notable Event adaptive response action is one of the included adaptive response actions that is configured by default for ES. This action allows you to create a notable event from the results of a correlation search or from the details of another notable event. You can customize the title, description, urgency, owner, and other fields of the notable event. The Create Notable Event action is useful for creating alerts or tasks based on specific conditions or criteria. Therefore, the correct answer is A. Create notable event. References = Create Notable Event.

A technology add-on (TA) is a Splunk app that contains the configurations for ingesting and normalizing data from a specific data source or vendor. A TA can include sourcetype definitions, index-time and search-time field extractions, event types, tags, lookups, and other settings that help to map the data to the Splunk Common Information Model (CIM). The CIM is a set of predefined data models that provide a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. Therefore, the correct answer is D. Technology add-on. References =

• Technology add-ons overview
• Splunk Common Information Model Add-on
• Normalizing Enterprise Security data with technology add-ons

Onboarding data to Splunk Enterprise Security

Correlation searches can perform adaptive response actions when they find a pattern in the data. Adaptive response actions are automated or manual responses that you can use to modify your environment based on notable events. For example, you can block an IP address, add a user to a watchlist, or send an email notification. Configuring correlation adaptive responses is part of tuning correlation searches for a new ES installation, as it allows you to customize the actions that are triggered by the correlation searches. You can enable, disable, or modify the adaptive response actions for each correlation search, or create your own custom actions. References =

• Configure correlation searches in Splunk Enterprise Security
• Adaptive Response Framework overview

According to the Splunk Lantern article on Managing data models in Enterprise Security, accelerated data requires approximately 3.4 times the daily data volume of additional storage space per year1. This means that if the daily input volume is 100 GB, the accelerated data model storage per year would be 100 GB x 3.4 = 340 GB. This estimate may vary depending on the data model configuration, the data retention policy, and the indexer cluster replication factor. References =

• Managing data models in Enterprise Security

 This is because ES is a resource-intensive application that requires a dedicated search head with sufficient CPU and memory. Installing ES on the existing search head may cause performance issues and conflicts with other applications. Deleting the non-CIM-compliant apps from the search head is not recommended, as they are mission-critical for the site. Increasing the number of CPUs and amount of memory on the search head may not be enough to handle the load of ES and other applications. Therefore, option B is the most suitable answer. You can find more information about installing ES on this web page1.

The endpoint security domain dashboards in Splunk Enterprise Security display endpoint data relating to malware infections, patch history, system configurations, and time synchronization information. The sources for events in the endpoint security domain dashboards are the devices that are considered endpoints in your network, such as workstations, notebooks, and point-of-sale systems1. References = 1: Introduction to the dashboards available in Splunk Enterprise Security - Endpoint domain dashboards.

 The Threat Download Manager is a feature of Splunk Enterprise Security that downloads threat intelligence data from a web server. The Threat Download Manager is a modular input that runs on a schedule and fetches threat intelligence data from various sources, such as STIX/TAXII servers, RSS feeds, or custom URLs. The Threat Download Manager then passes the downloaded data to the Threat Intelligence Parser for further processing12. References = 1: Add threat intelligence to Splunk Enterprise Security - Splunk Documentation - Configure the threat intelligence sources included with Splunk Enterprise Security. 2: Using threat intelligence in Splunk Enterprise Security - Splunk Lantern - Where do I get threat intelligence?

According to the Splunk Enterprise Security documentation, one of the actions that may be necessary before installing ES is to redirect distributed search connections. This action is required if you are installing ES on a search head that is already connected to a distributed search environment, such as a search head cluster or a search head pool. You need to redirect the distributed search connections from the existing search head to a new search head that will run ES. This is because ES requires a dedicated search head that is not shared with other apps or users. You can use the Distributed Configuration Management tool to redirect the distributed search connections and create a Splunk Enterprise Security app for indexers. See Redirect distributed search connections for more details.

The other actions are not necessary before installing ES, but they may be helpful for optimizing the performance and scalability of ES. Purging KV Store can free up some disk space and remove stale data, but it is not required before installing ES. See Purge the KV Store for more information. Adding additional indexers can improve the indexing and searching capacity of ES, but it is not required before installing ES. See Deployment planning for more information. Adding additional forwarders can increase the data ingestion and forwarding capability of ES, but it is not required before installing ES. See Forward data to Splunk Enterprise Security for more information. References =

• Redirect distributed search connections
• Purge the KV Store
• Deployment planning
• Forward data to Splunk Enterprise Security.

According to the Splunk Enterprise Security documentation, an asset is a physical or logical device that is part of your network infrastructure, such as a server, a workstation, a router, or a firewall. An asset can have various attributes, such as IP address, MAC address, DNS name, NT host name, priority, business unit, owner, and others. Splunk Enterprise Security uses asset data to enrich and correlate security events and provide context for analysis. You can manage asset data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details.

The other options are not examples of ES assets, but they may be related to other types of data. A MAC address is an attribute of an asset, not an asset itself. A user name is an example of an identity, which is a person or group that is associated with an asset or an event. Splunk Enterprise Security uses identity data to enrich and correlate security events and provide context for analysis. You can manage identity data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details. People is a data model in the Splunk Common Information Model (CIM), which provides a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. The People data model contains the fields and tags for events that are related to people, such as user names, email addresses, phone numbers, and others. See People for more details. Therefore, the correct answer is C. Server. References =

• Manage assets and identities in Splunk Enterprise Security
• People

According to the Splunk Enterprise Security documentation, the default schedule for accelerating ES data models is every 5 minutes. This means that the data model acceleration searches run every 5 minutes to summarize the newly indexed data and store the results in the tsidx files. The 5-minute schedule is recommended for most use cases, as it provides a balance between search performance and resource consumption. However, you can change the schedule of a data model acceleration search in the Content Management page of Splunk Enterprise Security, if needed. See Configure data models for Splunk Enterprise Security for more details. References = Configure data models for Splunk Enterprise Security.

A field alias is a knowledge object that maps a non-standard field name to a CIM field name. A field alias allows you to use the same search string to retrieve data from different data sources, even if the data sources use different field names for the same type of data. For example, if you have data sources that use different field names for the source IP address, such as src_ip, source_ip, or sip, you can create a field alias that maps these field names to the CIM field name src. This way, you can use src as a common field name in your searches and reports, and Splunk will automatically replace it with the appropriate field name for each data source. Field aliases are applied at search time, so they do not affect the original data or the index time field extractions. References =

• Normalizing values to a common field name with the Common Information Model (CIM)
• Field aliases

Onboarding data to Splunk Enterprise Security

 According to the Splunk Enterprise Security documentation, only users with the ess_admin role or the Manage All Investigations capability can delete an investigation. The investigation owner and collaborators can edit the investigation, but not delete it. Therefore, the correct answer is A. ess_admin users only. References = Manage investigations in Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, the Protocol Intelligence dashboards are the dashboards that support the ability to view and analyze network Stream data. The Protocol Intelligence dashboards provide a summary of network traffic by protocol, such as TCP, UDP, ICMP, and others. They also show the top sources, destinations, ports, and applications for each protocol. The dashboards allow you to filter the data by time range, protocol, source, destination, port, and application. The dashboards also provide drilldown links to other dashboards, such as the Network Resolution dashboard and the Traffic Size Analysis dashboard, for further analysis. The Protocol Intelligence dashboards require the Splunk App for Stream and the Splunk Add-on for Stream to capture and parse network traffic data. Therefore, the correct answer is C. Protocol Intelligence dashboards. References = Protocol Intelligence dashboards.

Anomali ThreatStream App for Splunk | Splunkbase

 You can export content from Splunk Enterprise Security as an app from the Content Management page. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. The Content Management page allows you to view, edit, enable, disable, and export content in Splunk Enterprise Security. You can also import content from other ES instances or from the Splunk Security Essentials app. References =

• Export content from Splunk Enterprise Security as an app
• Content Management

 The role that should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard is the ess_analyst role. The ess_analyst role is a predefined role in Splunk Enterprise Security that grants the user the ability to view, edit, comment, and change the status and owner of notable events. The ess_analyst role also allows the user to access the dashboards, reports, and searches related to security analysis and investigation12. References = 1: Overview of roles and capabilities in Splunk Enterprise Security - Splunk Documentation - ess_analyst role. 2: Incident Review - Splunk Documentation - Triage notable events on the Incident Review dashboard.

According to the Splunk Enterprise Security documentation, the Use Case Library is a feature that contains scenarios that are useful during ES implementation. The Use Case Library provides a collection of Analytic Stories that provide actionable guidance for detecting, analyzing, and addressing security threats. An Analytic Story contains the searches, data sources, and explanations that you need to implement the scenario in your own ES environment. The Use Case Library also allows you to explore, activate, bookmark, and configure the searches that are related to each Analytic Story. You can filter the Analytic Stories by industry use cases, frameworks, or data sources. The Use Case Library helps you to quickly and easily deploy the most relevant security content for your organization. Therefore, the correct answer is A. Use Case Library. References = Manage Analytic Stories through the use case library in Splunk Enterprise Security.

Splunk Enterprise Security: SIEM Use Case Library | Splunk

 The point in the ES installation process when Splunk_TA_ForIndexes.spl should be deployed to the indexers is after installing ES on the search head(s) and running the distributed configuration management tool. Splunk_TA_ForIndexes.spl is a Splunk add-on that contains the index-time configurations for the data models used by ES. It is required to be installed on all indexers that receive data from ES data sources, such as network devices, endpoints, threat intelligence feeds, and so on. The recommended way to deploy Splunk_TA_ForIndexes.spl to the indexers is to use the distributed configuration management tool in ES, which is a feature that allows you to automatically distribute configuration files, such as indexes.conf, props.conf, and transforms.conf, to your Splunk platform instances. To use the distributed configuration management tool, you need to first install ES on the search head(s) and then run the tool from the ES menu bar. The tool will prompt you to select the configuration files that you want to deploy, including Splunk_TA_ForIndexes.spl, and the instances that you want to deploy them to, such as indexers, forwarders, or other search heads. The tool will also validate the configuration files and restart the instances as needed12. References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2: Install Splunk Enterprise Security - Splunk Documentation - Install the Splunk Add-on for Indexes.

The Splunk Add-on Builder helps you create technology add-ons, which are specialized add-ons that help to collect, transform, and normalize data feeds from specific sources in your environment. Technology add-ons are often referred to as TAs, and they start with the prefix TA-12. References = 1: Splunk Add-on Builder User Guide - About the Splunk Add-on Builder 2: Splunk Developer Portal - Develop Splunk Apps

 Adaptive response action history is stored in the cim_modactions index. This index contains the events generated by the adaptive response actions that are triggered by correlation searches or run manually from Incident Review. You can use this index to search, audit, and report on the adaptive response actions that have been executed in your environment. You can also view the adaptive response action history on the Adaptive Response dashboard in Enterprise Security1. References =

• Adaptive Response dashboard - Splunk Documentation

The tstatsHomePath setting in indexes.conf allows you to specify an alternate location for accelerated storage. Accelerated storage is where Splunk Enterprise stores the summary data for data models that are accelerated. The summary data is used to speed up searches and reports that use the data models. By default, the accelerated storage is located in the same volume as the index that contains the events referenced by the data model. However, you can use the tstatsHomePath setting to change the location of the accelerated storage to a different volume or path. This can help you optimize the performance and disk space usage of your Splunk Enterprise deployment. References =

• Use the tstatsHomePath setting in indexes.conf if you need to specify alternate locations for your accelerated storage
• tstatsHomePath setting in indexes.conf.spec

According to the Splunk Enterprise Security documentation, the first step when preparing to install ES is to determine the size and scope of installation. This involves estimating the amount of data that you plan to ingest, the number of users that will access ES, the number of search heads and indexers that you need, and the hardware requirements for each component. This step helps you plan your deployment architecture and ensure optimal performance and scalability of ES. Therefore, the correct answer is D. Determine the size and scope of installation. References = Deployment planning.