New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

SPLK-3001 Splunk Enterprise Security Certified Admin Exam Questions and Answers

Questions 4

What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

Options:

A.

50 GB

B.

100 GB

C.

300 GB

D.

500 MB

Buy Now
Questions 5

“10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against what in ES?

Options:

A.

A user.

B.

A device.

C.

An asset.

D.

An identity.

Buy Now
Questions 6

What does the summariesonly=true option do for a correlation search?

Options:

A.

Searches only accelerated data.

B.

Forwards summary indexes to the indexing tier.

C.

Uses a default summary time range.

D.

Searches summary indexes only.

Buy Now
Questions 7

What is the main purpose of the Dashboard Requirements Matrix document?

Options:

A.

Identifies on which data model(s) each dashboard depends.

B.

Provides instructions for customizing each dashboard for local data models.

C.

Identifies the searches used by the dashboards.

D.

Identifies which data model(s) depend on each dashboard.

Buy Now
Questions 8

Which of the following are the default ports that must be configured for Splunk Enterprise Security to function?

Options:

A.

SplunkWeb (8068), Splunk Management (8089), KV Store (8000)

B.

SplunkWeb (8390), Splunk Management (8323), KV Store (8672)

C.

SplunkWeb (8000), Splunk Management (8089), KV Store (8191)

D.

SplunkWeb (8043), Splunk Management (8088), KV Store (8191)

Buy Now
Questions 9

A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

Options:

A.

Install ES on the existing search head.

B.

Add a new search head and install ES on it.

C.

Increase the number of CPUs and amount of memory on the search head, then install ES.

D.

Delete the non-CIM-compliant apps from the search head, then install ES.

Buy Now
Questions 10

Adaptive response action history is stored in which index?

Options:

A.

cim_modactions

B.

modular_history

C.

cim_adaptiveactions

D.

modular_action_history

Buy Now
Questions 11

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

Options:

A.

Index consistency.

B.

Data integrity control.

C.

Indexer acknowledgement.

D.

Index access permissions.

Buy Now
Questions 12

Which of the following is part of tuning correlation searches for a new ES installation?

Options:

A.

Configuring correlation notable event index.

B.

Configuring correlation permissions.

C.

Configuring correlation adaptive responses.

D.

Configuring correlation result storage.

Buy Now
Questions 13

ES needs to be installed on a search head with which of the following options?

Options:

A.

No other apps.

B.

Any other apps installed.

C.

All apps removed except for TA-*.

D.

Only default built-in and CIM-compliant apps.

Buy Now
Questions 14

Which of the following ES features would a security analyst use while investigating a network anomaly notable?

Options:

A.

Correlation editor.

B.

Key indicator search.

C.

Threat download dashboard.

D.

Protocol intelligence dashboard.

Buy Now
Questions 15

Which columns in the Assets lookup are used to identify an asset in an event?

Options:

A.

src, dvc, dest

B.

cidr, port, netbios, saml

C.

ip, mac, dns, nt_host

D.

host, hostname, url, address

Buy Now
Questions 16

Which of the following are data models used by ES? (Choose all that apply)

Options:

A.

Web

B.

Anomalies

C.

Authentication

D.

Network Traffic

Buy Now
Questions 17

Which of the following features can the Add-on Builder configure in a new add-on?

Options:

A.

Expire data.

B.

Normalize data.

C.

Summarize data.

D.

Translate data.

Buy Now
Questions 18

Which of the following is an adaptive action that is configured by default for ES?

Options:

A.

Create notable event

B.

Create new correlation search

C.

Create investigation

D.

Create new asset

Buy Now
Questions 19

Both “Recommended Actions” and “Adaptive Response Actions” use adaptive response. How do they differ?

Options:

A.

Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.

B.

Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.

C.

Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.

D.

Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run manually with analyst intervention.

Buy Now
Questions 20

How is notable event urgency calculated?

Options:

A.

Asset priority and threat weight.

B.

Alert severity found by the correlation search.

C.

Asset or identity risk and severity found by the correlation search.

D.

Severity set by the correlation search and priority assigned to the associated asset or identity.

Buy Now
Questions 21

An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

Options:

A.

OS: 32 bit, RAM: 16 MB, CPU: 12 cores

B.

OS: 64 bit, RAM: 32 MB, CPU: 12 cores

C.

OS: 64 bit, RAM: 12 MB, CPU: 16 cores

D.

OS: 64 bit, RAM: 32 MB, CPU: 16 cores

Buy Now
Questions 22

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

Options:

A.

Use new app names each time content is exported.

B.

Do not use the .spl extension when naming an export.

C.

Always include existing and new content for each export.

D.

Either use new app names or always include both existing and new content.

Buy Now
Questions 23

Which of the following actions may be necessary before installing ES?

Options:

A.

Redirect distributed search connections.

B.

Purge KV Store.

C.

Add additional indexers.

D.

Add additional forwarders.

Buy Now
Questions 24

Enterprise Security’s dashboards primarily pull data from what type of knowledge object?

Options:

A.

Tstats

B.

KV Store

C.

Data models

D.

Dynamic lookups

Buy Now
Questions 25

ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?

Options:

A.

$SPLUNK_HOME/etc/master-apps/

B.

$SPLUNK_HOME/etc/system/local/

C.

$SPLUNK_HOME/etc/shcluster/apps

D.

$SPLUNK_HOME/var/run/searchpeers/

Buy Now
Questions 26

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

Options:

A.

An urgency.

B.

A risk profile.

C.

An aggregation.

D.

A numeric score.

Buy Now
Questions 27

When investigating, what is the best way to store a newly-found IOC?

Options:

A.

Paste it into Notepad.

B.

Click the “Add IOC” button.

C.

Click the “Add Artifact” button.

D.

Add it in a text note to the investigation.

Buy Now
Questions 28

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives.

What is a solution for this issue?

Options:

A.

Suppress notable events from that correlation search.

B.

Disable acceleration for the correlation search to reduce storage requirements.

C.

Modify the correlation schedule and sensitivity for your site.

D.

Change the correlation search's default status and severity.

Buy Now
Questions 29

What is the first step when preparing to install ES?

Options:

A.

Install ES.

B.

Determine the data sources used.

C.

Determine the hardware required.

D.

Determine the size and scope of installation.

Buy Now
Exam Code: SPLK-3001
Exam Name: Splunk Enterprise Security Certified Admin Exam
Last Update: Dec 27, 2024
Questions: 99
SPLK-3001 pdf

SPLK-3001 PDF

$25.5  $84.99
SPLK-3001 Engine

SPLK-3001 Testing Engine

$30  $99.99
SPLK-3001 PDF + Engine

SPLK-3001 PDF + Testing Engine

$40.5  $134.99