Question 1

When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?

Accepted Answer

A)  indexes.conf, props.conf, transforms.conf 
B)  web.conf, props.conf, transforms.conf 
C)  inputs.conf, props.conf, transforms.conf 
D)  eventtypes.conf, indexes.conf, tags.conf 
A)  indexes.conf, props.conf, transforms.conf 
B)  web.conf, props.conf, transforms.conf 
C)  inputs.conf, props.conf, transforms.conf 
D)  eventtypes.conf, indexes.conf, tags.conf A

Question 2

Which of the following are examples of sources for events in the endpoint security domain dashboards?

Accepted Answer

A)  REST API invocations. 
B)  Investigation final results status. 
C)  Workstations, notebooks, and point-of-sale systems. 
D)  Lifecycle auditing of incidents, from assignment to resolution. 
A)  REST API invocations. 
B)  Investigation final results status. 
C)  Workstations, notebooks, and point-of-sale systems. 
D)  Lifecycle auditing of incidents, from assignment to resolution. D

Question 3

Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

Accepted Answer

A)  VIP 
B)  Priority 
C)  Importance 
D)  Criticality 
A)  VIP 
B)  Priority 
C)  Importance 
D)  Criticality B

Question 4

An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

Accepted Answer

A)  OS: 32 bit, RAM: 16 MB, CPU: 12 cores 
B)  OS: 64 bit, RAM: 32 MB, CPU: 12 cores 
C)  OS: 64 bit, RAM: 12 MB, CPU: 16 cores 
D)  OS: 64 bit, RAM: 32 MB, CPU: 16 cores 
A)  OS: 32 bit, RAM: 16 MB, CPU: 12 cores 
B)  OS: 64 bit, RAM: 32 MB, CPU: 12 cores 
C)  OS: 64 bit, RAM: 12 MB, CPU: 16 cores 
D)  OS: 64 bit, RAM: 32 MB, CPU: 16 cores

Question 5

Which of the following steps will make the Threat Activity dashboard the default landing page in ES?

Accepted Answer

A)  Edit the Threat Activity view settings and checkmark the Default View option. 
B)  From the Edit Navigation page, click the "Set this as the default view" checkmark for Threat Activity. 
C)  From the Edit Navigation page, drag and drop the Threat Activity view to the top of the page. 
D)  From the Preferences menu for the user, select Enterprise Security as the default application. 
A)  Edit the Threat Activity view settings and checkmark the Default View option. 
B)  From the Edit Navigation page, click the "Set this as the default view" checkmark for Threat Activity. 
C)  From the Edit Navigation page, drag and drop the Threat Activity view to the top of the page. 
D)  From the Preferences menu for the user, select Enterprise Security as the default application.

Question 6

The option to create a Short ID for a notable event is located where?

Accepted Answer

A)  The Additional Fields. 
B)  The Event Details. 
C)  The Contributing Events. 
D)  The Description. 
A)  The Additional Fields. 
B)  The Event Details. 
C)  The Contributing Events. 
D)  The Description.

Question 7

How is it possible to navigate to the ES graphical Navigation Bar editor?

Accepted Answer

A)  Configure -> Navigation Menu 
B)  Configure -> General -> Navigation 
C)  Settings -> User Interface -> Navigation -> Click on "Enterprise Security" 
D)  Settings -> User Interface -> Navigation Menus -> Click on "default" next to SplunkEnterpriseSecuritySuite 
A)  Configure -> Navigation Menu 
B)  Configure -> General -> Navigation 
C)  Settings -> User Interface -> Navigation -> Click on "Enterprise Security" 
D)  Settings -> User Interface -> Navigation Menus -> Click on "default" next to SplunkEnterpriseSecuritySuite

Question 8

What does the summariesonly=true option do for a correlation search?

Accepted Answer

A)  Searches only accelerated data. 
B)  Forwards summary indexes to the indexing tier. 
C)  Uses a default summary time range. 
D)  Searches summary indexes only. 
A)  Searches only accelerated data. 
B)  Forwards summary indexes to the indexing tier. 
C)  Uses a default summary time range. 
D)  Searches summary indexes only.

Question 9

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

Accepted Answer

A)  Use new app names each time content is exported. 
B)  Do not use the .spl extension when naming an export. Do not use the extension when naming an export. 
C)  Always include existing and new content for each export. 
D)  Either use new app names or always include both existing and new content. 
A)  Use new app names each time content is exported. 
B)  Do not use the .spl extension when naming an export. Do not use the extension when naming an export. 
C)  Always include existing and new content for each export. 
D)  Either use new app names or always include both existing and new content.

Question 10

Which two fields combine to create the Urgency of a notable event?

Accepted Answer

A)  Priority and Severity. 
B)  Priority and Criticality. 
C)  Criticality and Severity. 
D)  Precedence and Time. 
A)  Priority and Severity. 
B)  Priority and Criticality. 
C)  Criticality and Severity. 
D)  Precedence and Time.

Question 11

Which of the following is a key feature of a glass table?

Accepted Answer

A)  Rigidity. 
B)  Customization. 
C)  Interactive investigations. 
D)  Strong data for later retrieval. 
A)  Rigidity. 
B)  Customization. 
C)  Interactive investigations. 
D)  Strong data for later retrieval.

Question 12

When investigating, what is the best way to store a newly-found IOC?

Accepted Answer

A)  Paste it into Notepad. 
B)  Click the "Add IOC" button. 
C)  Click the "Add Artifact" button. 
D)  Add it in a text note to the investigation. 
A)  Paste it into Notepad. 
B)  Click the "Add IOC" button. 
C)  Click the "Add Artifact" button. 
D)  Add it in a text note to the investigation.

Question 13

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

Accepted Answer

A)  An urgency. 
B)  A risk profile. 
C)  An aggregation. 
D)  A numeric score. 
A)  An urgency. 
B)  A risk profile. 
C)  An aggregation. 
D)  A numeric score.

Question 14

The Add-On Builder creates Splunk Apps that start with what?

Accepted Answer

A)  DA- 
B)  SA- 
C)  TA- 
D)  App- 
A)  DA- 
B)  SA- 
C)  TA- 
D)  App-

Question 15

What is the bar across the bottom of any ES window?

Accepted Answer

A)  The Investigator Workbench. 
B)  The Investigation Bar. 
C)  The Compliance Bar. 
D)  The Analyst Bar. 
A)  The Investigator Workbench. 
B)  The Investigation Bar. 
C)  The Compliance Bar. 
D)  The Analyst Bar.

Question 16

Which of the following ES features would a security analyst use while investigating a network anomaly notable?

Accepted Answer

A)  Correlation editor. 
B)  Key indicator search. 
C)  Threat download dashboard. 
D)  Protocol intelligence dashboard. 
A)  Correlation editor. 
B)  Key indicator search. 
C)  Threat download dashboard. 
D)  Protocol intelligence dashboard.

Question 17

A newly built custom dashboard needs to be available to a team of security analysts in ES. How is it possible to integrate the new dashboard?

Accepted Answer

A)  Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu. 
B)  Add the dashboard to a custom add-in app and install it to ES using the Content Manager. 
C)  Add links on the ES home page to the new dashboard. 
D)  Create a new role inherited from es_analyst, make the dashboard permissions read-only, and make this dashboard the default view for the new role. 
A)  Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu. 
B)  Add the dashboard to a custom add-in app and install it to ES using the Content Manager. 
C)  Add links on the ES home page to the new dashboard. 
D)  Create a new role inherited from es_analyst, make the dashboard permissions read-only, and make this dashboard the default view for the new role.

Question 18

Which of the following features can the Add-on Builder configure in a new add-on?

Accepted Answer

A)  Expire data. 
B)  Normalize data. 
C)  Summarize data. 
D)  Translate data. 
A)  Expire data. 
B)  Normalize data. 
C)  Summarize data. 
D)  Translate data.

Question 19

Accelerated data requires approximately how many times the daily data volume of additional storage space per year?

Accepted Answer

A)  3.4 
B)  5.7 
C)  1.0 
D)  2.5 
A)  3.4 
B)  5.7 
C)  1.0 
D)  2.5

Question 20

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

Accepted Answer

A)  Splunk_DS_ForIndexers.spl 
B)  Splunk_ES_ForIndexers.spl 
C)  Splunk_SA_ForIndexers.spl 
D)  Splunk_TA_ForIndexers.spl 
A)  Splunk_DS_ForIndexers.spl 
B)  Splunk_ES_ForIndexers.spl 
C)  Splunk_SA_ForIndexers.spl 
D)  Splunk_TA_ForIndexers.spl

When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?

Which of the following are examples of sources for events in the endpoint security domain dashboards?

Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

Which of the following steps will make the Threat Activity dashboard the default landing page in ES?

The option to create a Short ID for a notable event is located where?

How is it possible to navigate to the ES graphical Navigation Bar editor?

What does the summariesonly=true option do for a correlation search?

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

Which two fields combine to create the Urgency of a notable event?

Which of the following is a key feature of a glass table?

When investigating, what is the best way to store a newly-found IOC?

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

The Add-On Builder creates Splunk Apps that start with what?

What is the bar across the bottom of any ES window?

Which of the following ES features would a security analyst use while investigating a network anomaly notable?

A newly built custom dashboard needs to be available to a team of security analysts in ES. How is it possible to integrate the new dashboard?

Which of the following features can the Add-on Builder configure in a new add-on?

Accelerated data requires approximately how many times the daily data volume of additional storage space per year?

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk Core Certified Consultant

Filters

Exam 6: Splunk IT Service Intelligence Certified Admin

When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?

Which of the following are examples of sources for events in the endpoint security domain dashboards?

Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

Which of the following steps will make the Threat Activity dashboard the default landing page in ES?

The option to create a Short ID for a notable event is located where?

How is it possible to navigate to the ES graphical Navigation Bar editor?

What does the summariesonly=true option do for a correlation search?

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

Which two fields combine to create the Urgency of a notable event?

Which of the following is a key feature of a glass table?

When investigating, what is the best way to store a newly-found IOC?

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

The Add-On Builder creates Splunk Apps that start with what?

What is the bar across the bottom of any ES window?

Which of the following ES features would a security analyst use while investigating a network anomaly notable?

A newly built custom dashboard needs to be available to a team of security analysts in ES. How is it possible to integrate the new dashboard?

Which of the following features can the Add-on Builder configure in a new add-on?

Accelerated data requires approximately how many times the daily data volume of additional storage space per year?

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk Core Certified Consultant

Filters