Splunk splk-3001 practice test

Splunk Enterprise Security Certified Admin

Last exam update: Dec 15 ,2025
Page 1 out of 7. Viewing questions 1-15 out of 99

Question 1

The Add-On Builder creates Splunk Apps that start with what?

  • A. DA-
  • B. SA-
  • C. TA-
  • D. App-
Mark Question:
Answer:

C


Explanation:
Reference:
https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/abouttheessolution/

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Which of the following are examples of sources for events in the endpoint security domain
dashboards?

  • A. REST API invocations.
  • B. Investigation final results status.
  • C. Workstations, notebooks, and point-of-sale systems.
  • D. Lifecycle auditing of incidents, from assignment to resolution.
Mark Question:
Answer:

C


Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.1.0/User/EndpointProtectionDomaindashboards

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

When creating custom correlation searches, what format is used to embed field values in the title,
description, and drill-down fields of a notable event?

  • A. $fieldname$
  • B. “fieldname”
  • C. %fieldname%
  • D. _fieldname_
Mark Question:
Answer:

A


Explanation:
Reference:
https://docs.splunk.com/Documentation/ITSI/4.4.2/Configure/Createcorrelationsearch

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

What feature of Enterprise Security downloads threat intelligence data from a web server?

  • A. Threat Service Manager
  • B. Threat Download Manager
  • C. Threat Intelligence Parser
  • D. Therat Intelligence Enforcement
Mark Question:
Answer:

B


Explanation:
"The Threat Intelligence Framework provides a modular input (Threat Intelligence Downloads) that
handles the majority of configurations typically needed for downloading intelligence files & data. To
access this modular input, you simply need to create a stanza in your Inputs.conf file called
“threatlist”."

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

The Remote Access panel within the User Activity dashboard is not populating with the most recent
hour of dat
a. What data model should be checked for potential errors such as skipped searches?

  • A. Web
  • B. Risk
  • C. Performance
  • D. Authentication
Mark Question:
Answer:

D


Explanation:
Reference:
https://answers.splunk.com/answers/565482/how-to-resolve-skipped-scheduled-searches.html

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

In order to include an eventtype in a data model node, what is the next step after extracting the
correct fields?

  • A. Save the settings.
  • B. Apply the correct tags.
  • C. Run the correct search.
  • D. Visit the CIM dashboard.
Mark Question:
Answer:

C


Explanation:
Reference:
https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizeOSSECdata

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

What role should be assigned to a security team member who will be taking ownership of notable
events in the incident review dashboard?

  • A. ess_user
  • B. ess_admin
  • C. ess_analyst
  • D. ess_reviewer
Mark Question:
Answer:

B


Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.1.0/User/Triagenotableevents

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Which column in the Asset or Identity list is combined with event security to make a notable event’s
urgency?

  • A. VIP
  • B. Priority
  • C. Importance
  • D. Criticality
Mark Question:
Answer:

B


Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

  • A. An urgency.
  • B. A risk profile.
  • C. An aggregation.
  • D. A numeric score.
Mark Question:
Answer:

D


Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.1.0/User/RiskScoring

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Which indexes are searched by default for CIM data models?

  • A. notable and default
  • B. summary and notable
  • C. _internal and summary
  • D. All indexes
Mark Question:
Answer:

D


Explanation:
Reference:
https://answers.splunk.com/answers/600354/indexes-searched-by-cim-data-models.html

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

  • A. thawedPath
  • B. tstatsHomePath
  • C. summaryHomePath
  • D. warmToColdScript
Mark Question:
Answer:

B


Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Which of the following is a way to test for a property normalized data model?

  • A. Use Audit -> Normalization Audit and check the Errors panel.
  • B. Run a | datamodel search, compare results to the CIM documentation for the datamodel.
  • C. Run a | loadjob search, look at tag values and compare them to known tags based on the encoding.
  • D. Run a | datamodel search and compare the results to the list of data models in the ES normalization guide.
Mark Question:
Answer:

B


Explanation:
Reference:
https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

Which argument to the | tstats command restricts the search to summarized data only?

  • A. summaries=t
  • B. summaries=all
  • C. summariesonly=t
  • D. summariesonly=all
Mark Question:
Answer:

C


Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

When investigating, what is the best way to store a newly-found IOC?

  • A. Paste it into Notepad.
  • B. Click the “Add IOC” button.
  • C. Click the “Add Artifact” button.
  • D. Add it in a text note to the investigation.
Mark Question:
Answer:

C


User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

How is it possible to navigate to the list of currently-enabled ES correlation searches?

  • A. Configure -> Correlation Searches -> Select Status “Enabled”
  • B. Settings -> Searches, Reports, and Alerts -> Filter by Name of “Correlation”
  • C. Configure -> Content Management -> Select Type “Correlation” and Status “Enabled”
  • D. Settings -> Searches, Reports, and Alerts -> Select App of “SplunkEnterpriseSecuritySuite” and filter by “- Rule”
Mark Question:
Answer:

C


Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Listcorrelationsearches

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2