Splunk splk-3001 practice test

Splunk Enterprise Security Certified Admin Exam

Last exam update: Jun 18 ,2024
Page 1 out of 7. Viewing questions 1-15 out of 99

Question 1

After data is ingested, which data management step is essential to ensure raw data can be
accelerated by a Data Model and used by ES?

  • A. Applying Tags.
  • B. Normalization to Customer Standard.
  • C. Normalization to the Splunk Common Information Model.
  • D. Extracting Fields.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

How does ES know local customer domain names so it can detect internal vs. external emails?

  • A. Web and email domain names are set in General -> General Configuration.
  • B. ES uses the User Activity index and applies machine learning to determine internal and external domains.
  • C. The Corporate Web and Email Domain Lookups are edited during initial configuration.
  • D. ES extracts local email and web domains automatically from SMTP and HTTP logs.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

What are adaptive responses triggered by?

  • A. By correlation searches and users on the incident review dashboard.
  • B. By correlation searches and custom tech add-ons.
  • C. By correlation searches and users on the threat analysis dashboard.
  • D. By custom tech add-ons and users on the risk analysis dashboard.
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

What is the main purpose of the Dashboard Requirements Matrix document?

  • A. Identifies on which data model(s) each dashboard depends.
  • B. Provides instructions for customizing each dashboard for local data models.
  • C. Identifies the searches used by the dashboards.
  • D. Identifies which data model(s) depend on each dashboard.
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

What does the summariesonly=true option do for a correlation search?

  • A. Searches only accelerated data.
  • B. Forwards summary indexes to the indexing tier.
  • C. Uses a default summary time range.
  • D. Searches summary indexes only.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference:
https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-do-correlation-
searches-in- Enterprise-Security-not-use-quot/m-p/262622

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Which columns in the Assets lookup are used to identify an asset in an event?

  • A. src, dvc, dest
  • B. cidr, port, netbios, saml
  • C. ip, mac, dns, nt_host
  • D. host, hostname, url, address
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Formatassetoridentitylist

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

Which two fields combine to create the Urgency of a notable event?

  • A. Priority and Severity.
  • B. Priority and Criticality.
  • C. Criticality and Severity.
  • D. Precedence and Time.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.4.1/User/Howurgencyisassigned

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Where is detailed information about identities stored?

  • A. The Identity Investigator index.
  • B. The Access Anomalies collection.
  • C. The User Activity index.
  • D. The Identity Lookup CSV file.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

A set of correlation searches are enabled at a new ES installation, and results are being monitored.
One of the correlation searches is generating many notable events which, when evaluated, are
determined to be false positives.
What is a solution for this issue?

  • A. Suppress notable events from that correlation search.
  • B. Disable acceleration for the correlation search to reduce storage requirements.
  • C. Modify the correlation schedule and sensitivity for your site.
  • D. Change the correlation search's default status and severity.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Which of the following lookup types in Enterprise Security contains information about known hostile
IP addresses?

  • A. Security domains.
  • B. Threat intel.
  • C. Assets.
  • D. Domains.
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Manageinternallookups

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

What should be used to map a non-standard field name to a CIM field name?

  • A. Field alias.
  • B. Search time extraction.
  • C. Tag.
  • D. Eventtype.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

A customer site is experiencing poor performance. The UI response time is high and searches take a
very long time to run. Some operations time out and there are errors in the scheduler logs, indicating
too many concurrent searches are being started. 6 total correlation searches are scheduled and they
have already been tuned to weed out false positives.
Which of the following options is most likely to help performance?

  • A. Change the search heads to do local indexing of summary searches.
  • B. Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.
  • C. Increase memory and CPUs on the search head(s) and add additional indexers.
  • D. If indexed realtime search is enabled, disable it for the notable index.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

Following the installation of ES, an admin configured users with the ess_user role the ability to close
notable events.
How would the admin restrict these users from being able to change the status of Resolved notable
events to Closed?

  • A. In Enterprise Security, give the ess_user role the Own Notable Events permission.
  • B. From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status.
  • C. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.
  • D. From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

What can be exported from ES using the Content Management page?

  • A. Only correlation searches, managed lookups, and glass tables.
  • B. Only correlation searches.
  • C. Any content type listed in the Content Management page.
  • D. Only correlation searches, glass tables, and workbench panels.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Export#:~:text=as%20an%20app-,Export
%20content%20from%20Splunk%20Enterprise%20Security%20as,from%20the%20Content%20Mana
gement
%20page.&text=You%20can%20export%20any%20type,%2C%20data%20models%2C%20and%20vie
ws.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Accelerated data requires approximately how many times the daily data volume of additional storage
space per year?

  • A. 3.4
  • B. 5.7
  • C. 1.0
  • D. 2.5
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.4.1/Install/Datamodels

Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2