Question 1

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

Accepted Answer

A)  ess_user 
B)  ess_admin 
C)  ess_analyst 
D)  ess_reviewer 
A)  ess_user 
B)  ess_admin 
C)  ess_analyst 
D)  ess_reviewer

Question 2

At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?

Accepted Answer

A)  When adding apps to the deployment server. 
B)  Splunk_TA_ForIndexers.spl is installed first. is installed first. 
C)  After installing ES on the search head(s) and running the distributed configuration management tool. 
D)  Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command. 
A)  When adding apps to the deployment server. 
B)  Splunk_TA_ForIndexers.spl is installed first. is installed first. 
C)  After installing ES on the search head(s) and running the distributed configuration management tool. 
D)  Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

Question 3

Which of the following actions can improve overall search performance?

Accepted Answer

A)  Disable indexed real-time search. 
B)  Increase priority of all correlation searches. 
C)  Reduce the frequency (schedule) of lower-priority correlation searches. 
D)  Add notable event suppressions for correlation searches with high numbers of false positives. 
A)  Disable indexed real-time search. 
B)  Increase priority of all correlation searches. 
C)  Reduce the frequency (schedule) of lower-priority correlation searches. 
D)  Add notable event suppressions for correlation searches with high numbers of false positives.

Question 4

Which of the following actions would not reduce the number of false positives from a correlation search?

Accepted Answer

A)  Reducing the severity. 
B)  Removing throttling fields. 
C)  Increasing the throttling window. 
D)  Increasing threshold sensitivity. 
A)  Reducing the severity. 
B)  Removing throttling fields. 
C)  Increasing the throttling window. 
D)  Increasing threshold sensitivity.

Question 5

Which of the following is an adaptive action that is configured by default for ES?

Accepted Answer

A)  Create new asset 
B)  Create notable event 
C)  Create investigation 
D)  Create new correlation search 
A)  Create new asset 
B)  Create notable event 
C)  Create investigation 
D)  Create new correlation search

Question 6

What feature of Enterprise Security downloads threat intelligence data from a web server?

Accepted Answer

A)  Threat Service Manager 
B)  Threat Download Manager 
C)  Threat Intelligence Parser 
D)  Therat Intelligence Enforcement 
A)  Threat Service Manager 
B)  Threat Download Manager 
C)  Threat Intelligence Parser 
D)  Therat Intelligence Enforcement

Question 7

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

Accepted Answer

A)  thawedPath 
B)  tstatsHomePath 
C)  summaryHomePath 
D)  warmToColdScript 
A)  thawedPath 
B)  tstatsHomePath 
C)  summaryHomePath 
D)  warmToColdScript

Question 8

How should an administrator add a new lookup through the ES app?

Accepted Answer

A)  Upload the lookup file in Settings -> Lookups -> Lookup Definitions 
B)  Upload the lookup file in Settings -> Lookups -> Lookup table files 
C)  Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups 
D)  Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup 
A)  Upload the lookup file in Settings -> Lookups -> Lookup Definitions 
B)  Upload the lookup file in Settings -> Lookups -> Lookup table files 
C)  Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups 
D)  Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Question 9

To observe what network services are in use in a network's activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

Accepted Answer

A)  Intrusion Center 
B)  Protocol Analysis 
C)  User Intelligence 
D)  Threat Intelligence 
A)  Intrusion Center 
B)  Protocol Analysis 
C)  User Intelligence 
D)  Threat Intelligence

Question 10

Which of the following are data models used by ES? (Choose all that apply.)

Accepted Answer

A)  Web 
B)  Anomalies 
C)  Authentication 
D)  Network Traffic 
A)  Web 
B)  Anomalies 
C)  Authentication 
D)  Network Traffic

Question 11

What is the default schedule for accelerating ES Datamodels?

Accepted Answer

A)  1 minute 
B)  5 minutes 
C)  15 minutes 
D)  1 hour 
A)  1 minute 
B)  5 minutes 
C)  15 minutes 
D)  1 hour

Question 12

What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

Accepted Answer

A)  Configure -> Incident Management -> Notable Event Statuses 
B)  Configure -> Content Management -> Type: Correlation Search 
C)  Configure -> Incident Management -> Incident Review Settings -> Event Management 
D)  Configure -> Incident Management -> Incident Review Settings -> Table Attributes 
A)  Configure -> Incident Management -> Notable Event Statuses 
B)  Configure -> Content Management -> Type: Correlation Search 
C)  Configure -> Incident Management -> Incident Review Settings -> Event Management 
D)  Configure -> Incident Management -> Incident Review Settings -> Table Attributes

Question 13

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

Accepted Answer

A)  Nothing, there are no additional steps for add-ons. 
B)  Configure the add-ons via the Content Management dashboard. 
C)  Disable the add-ons until they are ready to be used, then enable the add-ons. 
D)  Configure the add-ons according to their README or documentation. 
A)  Nothing, there are no additional steps for add-ons. 
B)  Configure the add-ons via the Content Management dashboard. 
C)  Disable the add-ons until they are ready to be used, then enable the add-ons. 
D)  Configure the add-ons according to their README or documentation.

Question 14

Which settings indicated that the correlation search will be executed as new events are indexed?

Accepted Answer

A)  Always-On 
B)  Real-Time 
C)  Scheduled 
D)  Continuous 
A)  Always-On 
B)  Real-Time 
C)  Scheduled 
D)  Continuous

Question 15

Which indexes are searched by default for CIM data models?

Accepted Answer

A)  notable and default notable and default 
B)  summary and notable summary 
C)  _internal and summary _internal 
D)  All indexes 
A)  notable and default notable and default 
B)  summary and notable summary 
C)  _internal and summary _internal 
D)  All indexes

Question 16

Which of the following actions may be necessary before installing ES?

Accepted Answer

A)  Add additional indexers. 
B)  Redirect distributed search connections. 
C)  Purge KV Store. 
D)  Add additional forwarders. 
A)  Add additional indexers. 
B)  Redirect distributed search connections. 
C)  Purge KV Store. 
D)  Add additional forwarders.

Question 17

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

Accepted Answer

A)  Index consistency. 
B)  Data integrity control. 
C)  Indexer acknowledgement. 
D)  Index access permissions. 
A)  Index consistency. 
B)  Data integrity control. 
C)  Indexer acknowledgement. 
D)  Index access permissions.

Question 18

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives. What is a solution for this issue?

Accepted Answer

A)  Suppress notable events from that correlation search. 
B)  Disable acceleration for the correlation search to reduce storage requirements. 
C)  Modify the correlation schedule and sensitivity for your site. 
D)  Change the correlation search's default status and severity. 
A)  Suppress notable events from that correlation search. 
B)  Disable acceleration for the correlation search to reduce storage requirements. 
C)  Modify the correlation schedule and sensitivity for your site. 
D)  Change the correlation search's default status and severity.

Question 19

What do threat gen searches produce?

Accepted Answer

A)  Threat correlation searches. 
B)  Threat intel in KV Store collections. 
C)  Events in the threat_activity index. Events in the threat_activity index. 
D)  Threat notables in the notable index. Threat notables in the notable 
A)  Threat correlation searches. 
B)  Threat intel in KV Store collections. 
C)  Events in the threat_activity index. Events in the threat_activity index. 
D)  Threat notables in the notable index. Threat notables in the notable

Question 20

Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to Closed ?

Accepted Answer

A)  In Enterprise Security, give the ess_user role the Own Notable Events permission. In Enterprise Security, give the role the Own Notable Events permission. 
B)  From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status. From the Status Configuration window select the status. Remove from the status transitions for the status. 
C)  From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status. 
D)  From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability. From Splunk Access Controls, select the role and remove the edit_notable_events capability. 
A)  In Enterprise Security, give the ess_user role the Own Notable Events permission. In Enterprise Security, give the role the Own Notable Events permission. 
B)  From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status. From the Status Configuration window select the status. Remove from the status transitions for the status. 
C)  From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status. 
D)  From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability. From Splunk Access Controls, select the role and remove the edit_notable_events capability.

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?

Which of the following actions can improve overall search performance?

Which of the following actions would not reduce the number of false positives from a correlation search?

Which of the following is an adaptive action that is configured by default for ES?

What feature of Enterprise Security downloads threat intelligence data from a web server?

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

How should an administrator add a new lookup through the ES app?

To observe what network services are in use in a network's activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

Which of the following are data models used by ES? (Choose all that apply.)

What is the default schedule for accelerating ES Datamodels?

What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

Which settings indicated that the correlation search will be executed as new events are indexed?

Which indexes are searched by default for CIM data models?

Which of the following actions may be necessary before installing ES?

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives. What is a solution for this issue?

What do threat gen searches produce?

Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to Closed ?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk Core Certified Consultant

Filters

Exam 6: Splunk IT Service Intelligence Certified Admin

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?

Which of the following actions can improve overall search performance?

Which of the following actions would not reduce the number of false positives from a correlation search?

Which of the following is an adaptive action that is configured by default for ES?

What feature of Enterprise Security downloads threat intelligence data from a web server?

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

How should an administrator add a new lookup through the ES app?

To observe what network services are in use in a network's activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

Which of the following are data models used by ES? (Choose all that apply.)

What is the default schedule for accelerating ES Datamodels?

What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

Which settings indicated that the correlation search will be executed as new events are indexed?

Which indexes are searched by default for CIM data models?

Which of the following actions may be necessary before installing ES?

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives. What is a solution for this issue?

What do threat gen searches produce?

Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to Closed ?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk Core Certified Consultant

Filters