Splunk splk-3001 practice test

Splunk Enterprise Security Certified Admin Exam

Last exam update: Sep 12 ,2024
Page 1 out of 6. Viewing questions 1-15 out of 99

Question 1

What should be used to map a non-standard field name to a CIM field name?

  • A. Field alias.
  • B. Search time extraction.
  • C. Tag.
  • D. Eventtype.
Answer:

A


User Votes:
A 2 votes
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

A customer site is experiencing poor performance. The UI response time is high and searches take a
very long time to run. Some operations time out and there are errors in the scheduler logs, indicating
too many concurrent searches are being started. 6 total correlation searches are scheduled and they
have already been tuned to weed out false positives.
Which of the following options is most likely to help performance?

  • A. Change the search heads to do local indexing of summary searches.
  • B. Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.
  • C. Increase memory and CPUs on the search head(s) and add additional indexers.
  • D. If indexed realtime search is enabled, disable it for the notable index.
Answer:

C


User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Following the installation of ES, an admin configured users with the ess_user role the ability to close
notable events.
How would the admin restrict these users from being able to change the status of Resolved notable
events to Closed?

  • A. In Enterprise Security, give the ess_user role the Own Notable Events permission.
  • B. From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status.
  • C. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.
  • D. From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability.
Answer:

C


User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

What can be exported from ES using the Content Management page?

  • A. Only correlation searches, managed lookups, and glass tables.
  • B. Only correlation searches.
  • C. Any content type listed in the Content Management page.
  • D. Only correlation searches, glass tables, and workbench panels.
Answer:

C


Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Export#:~:text=as%20an%20app-,Export
%20content%20from%20Splunk%20Enterprise%20Security%20as,from%20the%20Content%20Mana
gement
%20page.&text=You%20can%20export%20any%20type,%2C%20data%20models%2C%20and%20vie
ws.

User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Accelerated data requires approximately how many times the daily data volume of additional storage
space per year?

  • A. 3.4
  • B. 5.7
  • C. 1.0
  • D. 2.5
Answer:

A


Explanation:
Reference:
https://docs.splunk.com/Documentation/ES/6.4.1/Install/Datamodels

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

When installing Enterprise Security, what should be done after installing the add-ons necessary for
normalizing data?

  • A. Configure the add-ons according to their README or documentation.
  • B. Disable the add-ons until they are ready to be used, then enable the add-ons.
  • C. Nothing, there are no additional steps for add-ons.
  • D. Configure the add-ons via the Content Management dashboard.
Answer:

A


User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

How is it possible to specify an alternate location for accelerated storage?

  • A. Configure storage optimization settings for the index.
  • B. Update the Home Path setting in indexes, conf
  • C. Use the tstatsHomePath setting in props, conf
  • D. Use the tstatsHomePath Setting in indexes, conf
Answer:

C


User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

A security manager has been working with the executive team en long-range security goals. A
primary goal for the team Is to Improve managing user risk in the organization. Which of the
following ES features can help identify users accessing inappropriate web sites?

  • A. Configuring the identities lookup with user details to enrich notable event Information for forensic analysis.
  • B. Make sure the Authentication data model contains up-to-date events and is properly accelerated.
  • C. Configuring user and website watchlists so the User Activity dashboard will highlight unwanted user actions.
  • D. Use the Access Anomalies dashboard to identify unusual protocols being used to access corporate sites.
Answer:

C


User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Which of the following is part of tuning correlation searches for a new ES installation?

  • A. Configuring correlation notable event index.
  • B. Configuring correlation permissions.
  • C. Configuring correlation adaptive responses.
  • D. Configuring correlation result storage.
Answer:

A


User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

What do threat gen searches produce?

  • A. Threat Intel in KV Store collections.
  • B. Threat correlation searches.
  • C. Threat notables in the notable index.
  • D. Events in the threat_activity index.
Answer:

D


Explanation:
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Createthreatmatchspecs

User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which of the following steps will make the Threat Activity dashboard the default landing page in ES?

  • A. From the Edit Navigation page, drag and drop the Threat Activity view to the top of the page.
  • B. From the Preferences menu for the user, select Enterprise Security as the default application.
  • C. From the Edit Navigation page, click the 'Set this as the default view" checkmark for Threat Activity.
  • D. Edit the Threat Activity view settings and checkmark the Default View option.
Answer:

C


User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

What is an example of an ES asset?

  • A. MAC address
  • B. User name
  • C. Server
  • D. People
Answer:

A


User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

After managing source types and extracting fields, which key step comes next In the Add-On Builder?

  • A. Validate and package
  • B. Configure data collection.
  • C. Create alert actions.
  • D. Map to data models.
Answer:

D


User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

The option to create a Short ID for a notable event is located where?

  • A. The Additional Fields.
  • B. The Event Details.
  • C. The Contributing Events.
  • D. The Description.
Answer:

B


Explanation:
https://docs.splunk.com/Documentation/ES/6.4.1/User/Takeactiononanotableevent

User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Which feature contains scenarios that are useful during ES Implementation?

  • A. Use Case Library
  • B. Correlation Searches
  • C. Predictive Analytics
  • D. Adaptive Responses
Answer:

B


Explanation:
Reference:
https://www.splunk.com/pdfs/professional-services/2019/splunk-enterprise-security
-
implementation-success.pdf

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2