Practice Test 1 Flashcards
The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data.
What data model should be checked for potential errors such as skipped searches?
Authentication
In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?
Run the correct search.
What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?
ess_analyst
Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?
Priority
The Add-On Builder creates Splunk Apps that start with what?
TA-
Which of the following are examples of sources for events in the endpoint security domain dashboards?
Workstations, notebooks, and point-of-sale systems.
When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?
$fieldname$
What feature of Enterprise Security downloads threat intelligence data from a web server?
Threat Download Manager
What does the risk framework add to an object (user, server or other type) to indicate increased risk?
A risk score.
Which indexes are searched by default for CIM data models?
All indexes
Which setting is used in indexes.conf to specify alternate locations for accelerated storage?
tstatsHomePath
Which of the following is a way to test for a property normalized data model?
Run a | datamodel search, compare results to the CIM documentation for the datamodel.
Which argument to the | tstats command restricts the search to summarized data only?
summariesonly=t
When investigating, what is the best way to store a newly-found IOC?
Click the Add Artifact.
How is it possible to navigate to the list of currently-enabled ES correlation searches?
Configure -> Content Management -> Select Type Correlation and Status Enabled
Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?
Indexers have different settings.
Which of the following are data models used by ES? (Choose all that apply.)
Web,Authentication, and Network Traffic
At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?
After installing ES on the search head(s) and running the distributed configuration management tool.
Which correlation search feature is used to throttle the creation of notable events?
Window duration.
Both Recommended Actions
and Adaptive Response Actions
use adaptive response. How do they differ?
Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run automatically without analyst intervention.
What does the Security Posture dashboard display?
A high-level overview of notable events.
10.22.63.159
, websvr4
, and 00:26:08:18: CF:1D
would be matched against what in ES?
An asset.
How should an administrator add a new lookup through the ES app?
Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup
Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?
Security metrics.
Which of the following is a key feature of a glass table?
Customization.
An administrator is asked to configure an Nslookup
adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard.
What steps would the administrator take to configure this option?
Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?
Configure -> Incident Management -> Incident Review Settings -> Table Attributes
To observe what network services are in use in a network’s activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?
Intrusion Center
Adaptive response action history is stored in which index?
cim_modactions
Which of the following actions would not reduce the number of false positives from a correlation search?
Reducing the severity.
Where is the Add-On Builder available from?
SplunkBase
Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?
A prefix of Splunk_TA_
ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?
$SPLUNK_HOME/etc/shcluster/apps
How is notable event urgency calculated?
Severity set by the correlation search and priority assigned to the associated asset or identity. If more than one is involved in a single notable, the one with the highest priority determines urgency
What kind of value is in the red box in this picture?
Next to IP in source
A risk score
Where is it possible to export content, such as correlation searches, from ES?
Configure -> Content Management
Which of the following threat intelligence types can ES download? (Choose all that apply.)
Text and STIX/TAXII
A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance.
What is the best practice for installing ES?
Add a new search head and install ES on it.
Enterprise Security’s dashboards primarily pull data from what type of knowledge object?
Data models
To which of the following should the ES application be uploaded?
The search head.
If a username does not match the `˜identity’ column in the identities list, which column is checked next?
Email.
Which of the following features can the Add-on Builder configure in a new add-on?
Normalize data.
Built-in validation
Should not be used on prod servers
Custom data
What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?
100 GB Max
80 GB wile planning
ES needs to be installed on a search head with which of the following options?
Only default built-in and CIM-compliant apps.
Which settings indicates that the correlation search will be executed as new events are indexed?
Real Time
Where are attachments to investigations stored?
KV Store
Which data model populates the panels on the Risk Analysis dashboard?
Risk