Practice Test 1

Question 1

The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data.
What data model should be checked for potential errors such as skipped searches?

Answer 1

Authentication

Question 2

In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?

Answer 2

Run the correct search.

Question 3

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

Answer 3

ess_analyst

Question 4

Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?

Answer 4

Priority

Question 5

The Add-On Builder creates Splunk Apps that start with what?

Answer 5

TA-

Question 6

Which of the following are examples of sources for events in the endpoint security domain dashboards?

Answer 6

Workstations, notebooks, and point-of-sale systems.

Question 7

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

Answer 7

$fieldname$

Question 8

What feature of Enterprise Security downloads threat intelligence data from a web server?

Answer 8

Threat Download Manager

Question 9

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

Answer 9

A risk score.

Question 10

Which indexes are searched by default for CIM data models?

Answer 10

All indexes - Check

Question 11

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

Answer 11

tstatsHomePath

Question 12

Which of the following is a way to test for a property normalized data model?

Answer 12

Run a | datamodel search, compare results to the CIM documentation for the datamodel.

Question 13

Which argument to the | tstats command restricts the search to summarized data only?

Answer 13

summariesonly=t

Question 14

When investigating, what is the best way to store a newly-found IOC?

Answer 14

Click the “Add IOC” Button

Question 15

How is it possible to navigate to the list of currently-enabled ES correlation searches?

Answer 15

Configure -> Content Management -> Select Type “Correlation” and Status “Enabled”

Question 16

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?

Answer 16

Indexers have different settings.

Question 17

Which of the following are data models used by ES? (Choose all that apply.)

Answer 17

Web,Authentication, and Network Traffic

Question 18

At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?

Answer 18

After installing ES on the search head(s) and running the distributed configuration management tool.

Question 19

Which correlation search feature is used to throttle the creation of notable events?

Answer 19

Window duration

Question 20

Both Recommended Actions and Adaptive Response Actions use adaptive response. How do they differ?

Answer 20

Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.

Question 21

What does the Security Posture dashboard display?

Answer 21

A display of the status of security tools

Question 22

10.22.63.159, websvr4, and 00:26:08:18: CF:1D would be matched against what in ES?

Answer 22

A device

Question 23

How should an administrator add a new lookup through the ES app?

Answer 23

Upload the lookup file in Settings -> Lookups -> Lookup Definitions

Question 24

Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

Answer 24

Summarized data

Question 25

Which of the following is a key feature of a glass table?

Answer 25

Interactive Investigation

Question 26

An administrator is asked to configure an Nslookup adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard.
What steps would the administrator take to configure this option?

Answer 26

Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

Question 27

What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

Answer 27

Configure -> Incident Management -> Incident Review Settings -> Table Attributes

Question 28

To observe what network services are in use in a network’s activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

Answer 28

Protocol Analysis

Question 29

Adaptive response action history is stored in which index?

Answer 29

cim_modactions

Question 30

Which of the following actions would not reduce the number of false positives from a correlation search?

Answer 30

Reducing the severity.

Question 31

Where is the Add-On Builder available from?

Answer 31

SplunkBase

Question 32

Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

Answer 32

A prefix of Splunk_TA_

Question 33

ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?

Answer 33

$SPLUNK_HOME/etc/shcluster/apps

Question 34

How is notable event urgency calculated?

Answer 34

Severity set by the correlation search and priority assigned to the associated asset or identity. If more than one is involved in a single notable, the one with the highest priority determines urgency

Question 35

What kind of value is in the red box in this picture?

Next to IP in source

Answer 35

A risk score

Question 36

Where is it possible to export content, such as correlation searches, from ES?

Answer 36

Content management

Question 37

Which of the following threat intelligence types can ES download? (Choose all that apply.)

Answer 37

Text and STIX/TAXII

Question 38

A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance.
What is the best practice for installing ES?

Answer 38

Add a new search head and install ES on it.

Question 39

Enterprise Security’s dashboards primarily pull data from what type of knowledge object?

Answer 39

Data models

Question 40

To which of the following should the ES application be uploaded?

Answer 40

The search head.

Question 41

If a username does not match the `˜identity’ column in the identities list, which column is checked next?

Answer 41

Email.

Question 42

Which of the following features can the Add-on Builder configure in a new add-on?

Answer 42

Normalize data
summarize data
translate data

Question 43

What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

Answer 43

100 GB Max

80 GB wile planning

Question 44

ES needs to be installed on a search head with which of the following options?

Answer 44

Only default built-in and CIM-compliant apps.

Question 45

Which settings indicates that the correlation search will be executed as new events are indexed?

Answer 45

Real Time

Question 46

Where are attachments to investigations stored?

Answer 46

Notable Index

Question 47

Which data model populates the panels on the Risk Analysis dashboard?

Answer 47

Risk

Question 48

How is it possible to navigate to the ES graphical Navigation Bar editor?

Answer 48

Configure -> General -> Navigation

Question 49

An administrator is provisioning one search head prior to installing ES.
What are the reference minimum requirements for OS, CPU, and RAM for that machine?

Answer 49

OS: 64 bit, RAM: 32 GB, CPU: 16 cores

Question 50

What tools does the Risk Analysis dashboard provide?

Answer 50

Notable event domains displayed by risk score. and display of the highest risk assets and identities.

Question 51

When ES content is exported, an app with a .spl extension is automatically created.What is the best practice when exporting and importing updates to ES content?

Answer 51

Either use new app names or always include both existing and new content.

Question 52

Who can delete an investigation?

Answer 52

The investigation owner and ess-admin

Question 53

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

Answer 53

Splunk_TA_ForIndexers.spl

Question 54

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated.
How can the correlation search be made less sensitive?

Answer 54

Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.

Question 55

Which of the following actions can improve overall search performance?

Answer 55

Reduce the frequency (schedule) of lower-priority correlation searches.

Question 56

Which of the following ES features would a security analyst use while investigating a network anomaly notable?

Answer 56

Key Indicator search

Question 57

Which component normalizes events?

Answer 57

SA-CIM.

Question 58

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering.
What feature would satisfy this requirement?

Answer 58

Index consistency

Question 59

What is the first step when preparing to install ES?

Answer 59

Determine the size and scope of installation.

Question 60

What is the default schedule for accelerating ES Datamodels?

Answer 60

5 minutes

Question 61

Accelerated data requires approximately how many times the daily data volume of additional storage space per year?

Answer 61

x3.4

Question 62

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

Answer 62

Configure the add-ons according to their README or documentation.

Question 63

What can be exported from ES using the Content Management page?

Answer 63

You can export any type of content on the Content Management page, such as correlation searches, data models, and views

Question 64

Where should an ES search head be installed?

Answer 64

On a server with a new install of Splunk.

Question 65

Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events.
How would the admin restrict these users from being able to change the status of Resolved notable events to Closed?

Answer 65

From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.

Question 66

Which of the following actions may be necessary before installing ES?

Answer 66

Add additional indexers.

Question 67

A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives.
Which of the following options is most likely to help performance?

Answer 67

Increase memory and CPUs on the search head(s) and add additional indexers.

Question 68

What should be used to map a non-standard field name to a CIM field name?

Answer 68

Field alias.

Question 69

Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

Answer 69

Threat intel.

Question 70

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives.
What is a solution for this issue?

Answer 70

Modify the correlation schedule and sensitivity for your site.

Question 71

Which of the following steps will make the Threat Activity dashboard the default landing page in ES?

Answer 71

From the Edit Navigation page, click the “Set this as the default view” checkmark for Threat Activity.

Question 72

When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?

Answer 72

indexes.conf, props.conf, transforms.conf

Question 73

Which feature contains scenarios that are useful during ES implementation?

Answer 73

Use Case Library

Question 74

Where is detailed information about identities stored?

Answer 74

The Identity Lookup CSV file.

Question 75

The option to create a Short ID for a notable event is located where?

Answer 75

The Event Details.

Question 76

A newly built custom dashboard needs to be available to a team of security analysts in ES.
How is it possible to integrate the new dashboard?

Answer 76

Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu.

Question 77

What is the bar across the bottom of any ES window?

Answer 77

The Investigation Bar.

Question 78

Which two fields combine to create the Urgency of a notable event?

Answer 78

Priority and Severity.

Question 79

What do threat gen searches produce?

Answer 79

Events in the threat_activity index.

Question 80

Check- Which of the following is part of tuning correlation searches for a new ES installation?

Answer 80

Configuring correlation adaptive responses.

Question 81

Which columns in the Assets lookup are used to identify an asset in an event?

Answer 81

ip, mac, dns, nt_host

Question 82

What does the summariesonly=true option do for a correlation search?

Answer 82

Searches only accelerated data.

Question 83

Which of the following are the default ports that must be configured for Splunk Enterprise Security to function?

Answer 83

SplunkWeb (8000), Splunk Management (8089), KV Store (8191)

Question 84

What is the main purpose of the Dashboard Requirements Matrix document?

Answer 84

Identifies on which data model(s) each dashboard depends.

Question 85

Which of the following is a recommended pre-installation step?

Answer 85

Configure search head forwarding.

Question 86

What are adaptive responses triggered by?

Answer 86

By correlation searches and users on the incident review dashboard.

Question 87

Which of the following is an adaptive action that is configured by default for ES?

Answer 87

Create notable event

Question 88

Which of the following are the default ports that must be configured for Splunk Enterprise Security to function?

Answer 88

SplunkWeb (8000), Splunk Management (8089), KV Store (8191)

Question 89

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

Answer 89

$fieldname$

Question 90

When a correlation search detects an issue, it can initiate one or more.

Answer 90

Adaptive response actions

Question 91

The most common adaptive response action is?

Answer 91

To create a notable event

Question 92

Besides the most common adaptive response what are some other options?

Answer 92

-Adding risk objects
-Sending email
-Running a script
-Sending data to UBA
Ping or nslookup

Question 93

In the incident review dashboard adding multiple values per field are ____ together.

Answer 93

OR’d

Question 94

In the incident review dashboard urgency values can be _______.

Answer 94

toggled on and off

Question 95

In the incident review dashboard If values are set for more than one field they are _______ together.

Answer 95

AND’d

Question 96

ES Admins can define new status values and assign values to different rules. Where would you do this.

Answer 96

Configure > Incident Management > Status Configuration

Question 97

Identities are?

Answer 97

people, identified by user name, email address, etc.

Question 98

How can ES Admins can configure an objects risk value?

Answer 98

Manually or by correlation search.

Question 99

Why would you edit the risk analysis response action in a correlation search.

Answer 99

To modify the risk score that is assigned to an object.

Question 100

What ability would ess_analyst need to edit adaptive response action.

Answer 100

Edit correlation searches

Question 101

Adding ES to an existing site requires.

Answer 101

An extra search head and an additional indexers.

Question 102

The exact number of additional indexers ES needs depends on.

Answer 102

-Types and amounts of data being used
-Number of active correlation searches
-Number of real-time searches

Question 103

ES configures Splunk to use what type of searching.

Answer 103

Indexed real-time seach

Question 104

TA

Answer 104

Tech addon (input,normalization)

Question 105

DA

Answer 105

Domain addon (views, ui components)

Question 106

SA

Answer 106

Supporting addons (Searches, macros, data models, utilities)

Question 107

ES also installs

Answer 107

MTLK and UBA

Question 108

By default only users with ess_admin role can edit _____.

Answer 108

ES navigation

Question 109

Edit ES navigation can be given to ess_analyst and ess_user roles by who?

Answer 109

Admins

Question 110

Data models are

Answer 110

conceptual maps not containers

Question 111

Forwarder audit helps with

Answer 111

Ensures hosts are properly forwarding data to splunk

Detects forwarders that have failed

Can be set to monitor all hosts, or only hosts configured as is_expected in the ES assets look up table

Question 112

All correlation searches are

Answer 112

Disabled by default, enable only those that are needed.

Question 113

Scheduled correlation searches default to.

Answer 113

5 min

Question 114

Threshold

Answer 114

The criteria that causes a correlation search to trigger.

Question 115

Scheduling and throttling

Answer 115

How often to run the search and how often to generate notable events for the same type of events.

Question 116

Adaptive Responses

Answer 116

List of actions to take, including possibly creating a notable event or setting risk.

Question 117

Asset

Answer 117

Device

Question 118

Identity

Answer 118

Person

Question 119

Threat Intel

Answer 119

Locally produced and manged collections of treat intelligence