Question 1

What feature of Enterprise Security downloads threat intelligence data from a web server?

Accepted Answer

A)  Threat Service Manager 
B)  Threat Download Manager 
C)  Threat Intelligence Parser 
D)  Threat Intelligence Enforcement 
A)  Threat Service Manager 
B)  Threat Download Manager 
C)  Threat Intelligence Parser 
D)  Threat Intelligence Enforcement

Question 2

In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?

Accepted Answer

A)  Save the settings. 
B)  Apply the correct tags. 
C)  Run the correct search. 
D)  Visit the CIM dashboard. 
A)  Save the settings. 
B)  Apply the correct tags. 
C)  Run the correct search. 
D)  Visit the CIM dashboard.

Question 3

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

Accepted Answer

A)  Edit the search and modify the notable event status field to make the notable events less urgent. 
B)  Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match. 
C)  Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match. 
D)  Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent. 
A)  Edit the search and modify the notable event status field to make the notable events less urgent. 
B)  Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match. 
C)  Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match. 
D)  Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Question 4

What does the Security Posture dashboard display?

Accepted Answer

A)  Active investigations and their status. 
B)  A high-level overview of notable events. 
C)  Current threats being tracked by the SOC. 
D)  A display of the status of security tools. 
A)  Active investigations and their status. 
B)  A high-level overview of notable events. 
C)  Current threats being tracked by the SOC. 
D)  A display of the status of security tools.

Question 5

What are adaptive responses triggered by?

Accepted Answer

A)  By correlation searches and users on the incident review dashboard. 
B)  By correlation searches and custom tech add-ons. 
C)  By correlation searches and users on the threat analysis dashboard. 
D)  By custom tech add-ons and users on the risk analysis dashboard. 
A)  By correlation searches and users on the incident review dashboard. 
B)  By correlation searches and custom tech add-ons. 
C)  By correlation searches and users on the threat analysis dashboard. 
D)  By custom tech add-ons and users on the risk analysis dashboard.

Question 6

ES needs to be installed on a search head with which of the following options?

Accepted Answer

A)  No other apps. 
B)  Any other apps installed. 
C)  All apps removed except for TA-*. 
D)  Only default built-in and CIM-compliant apps. 
A)  No other apps. 
B)  Any other apps installed. 
C)  All apps removed except for TA-*. 
D)  Only default built-in and CIM-compliant apps.

Question 7

Which argument to the | tstats command restricts the search to summarized data only?

Accepted Answer

A)  summaries=t 
B)  summaries=all 
C)  summariesonly=t 
D)  summariesonly=all 
A)  summaries=t 
B)  summaries=all 
C)  summariesonly=t 
D)  summariesonly=all

Question 8

A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives. Which of the following options is most likely to help performance?

Accepted Answer

A)  Change the search heads to do local indexing of summary searches. 
B)  Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing. 
C)  Increase memory and CPUs on the search head(s) and add additional indexers. 
D)  If indexed realtime search is enabled, disable it for the notable index. 
A)  Change the search heads to do local indexing of summary searches. 
B)  Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing. 
C)  Increase memory and CPUs on the search head(s) and add additional indexers. 
D)  If indexed realtime search is enabled, disable it for the notable index.

Question 9

If a username does not match the 'identity' column in the identities list, which column is checked next?

Accepted Answer

A)  Email. 
B)  Nickname 
C)  IP address. 
D)  Combination of Last Name, First Name. 
A)  Email. 
B)  Nickname 
C)  IP address. 
D)  Combination of Last Name, First Name.

Question 10

"10.22.63.159", "websvr4", and "00:26:08:18: CF:1D" would be matched against what in ES?

Accepted Answer

A)  A user. 
B)  A device. 
C)  An asset. 
D)  An identity. 
A)  A user. 
B)  A device. 
C)  An asset. 
D)  An identity.

Question 11

Which data model populates the panels on the Risk Analysis dashboard?

Accepted Answer

A)  Risk 
B)  Audit 
C)  Domain analysis 
D)  Threat intelligence 
A)  Risk 
B)  Audit 
C)  Domain analysis 
D)  Threat intelligence

Question 12

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf ?

Accepted Answer

A)  Indexers might crash. 
B)  Indexers might be processing. 
C)  Indexers might not be reachable. 
D)  Indexers have different settings. 
A)  Indexers might crash. 
B)  Indexers might be processing. 
C)  Indexers might not be reachable. 
D)  Indexers have different settings.

Question 13

Which correlation search feature is used to throttle the creation of notable events?

Accepted Answer

A)  Schedule priority. 
B)  Window interval. 
C)  Window duration. 
D)  Schedule windows. 
A)  Schedule priority. 
B)  Window interval. 
C)  Window duration. 
D)  Schedule windows.

Question 14

How is notable event urgency calculated?

Accepted Answer

A)  Asset priority and threat weight. 
B)  Alert severity found by the correlation search. 
C)  Asset or identity risk and severity found by the correlation search. 
D)  Severity set by the correlation search and priority assigned to the associated asset or identity. 
A)  Asset priority and threat weight. 
B)  Alert severity found by the correlation search. 
C)  Asset or identity risk and severity found by the correlation search. 
D)  Severity set by the correlation search and priority assigned to the associated asset or identity.

Question 15

What should be used to map a non-standard field name to a CIM field name?

Accepted Answer

A)  Field alias. 
B)  Search time extraction. 
C)  Tag. 
D)  Eventtype. 
A)  Field alias. 
B)  Search time extraction. 
C)  Tag. 
D)  Eventtype.

Question 16

Where are attachments to investigations stored?

Accepted Answer

A) KV Store B) notable index notable index C) attachments.csv lookup attachments.csv lookup D) /etc/apps/SA-Investigations/default/ui/views/attachments A) KV Store B) notable index notable index C) attachments.csv lookup attachments.csv lookup D) /etc/apps/SA-Investigations/default/ui/views/attachments

Question 17

Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

Accepted Answer

A)  A prefix of CIM_ A prefix of CIM_ 
B)  A suffix of .spl A suffix of .spl 
C)  A prefix of TECH_ TECH_ 
D)  A prefix of Splunk_TA_ Splunk_TA_ 
A)  A prefix of CIM_ A prefix of CIM_ 
B)  A suffix of .spl A suffix of .spl 
C)  A prefix of TECH_ TECH_ 
D)  A prefix of Splunk_TA_ Splunk_TA_

Question 18

Enterprise Security's dashboards primarily pull data from what type of knowledge object?

Accepted Answer

A)  Tstats 
B)  KV Store 
C)  Data models 
D)  Dynamic lookups 
A)  Tstats 
B)  KV Store 
C)  Data models 
D)  Dynamic lookups

Question 19

Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

Accepted Answer

A)  Lookup searches. 
B)  Summarized data. 
C)  Security metrics. 
D)  Metrics store searches. 
A)  Lookup searches. 
B)  Summarized data. 
C)  Security metrics. 
D)  Metrics store searches.

Question 20

Which settings indicates that the correlation search will be executed as new events are indexed?

Accepted Answer

A)  Always-On 
B)  Real-Time 
C)  Scheduled 
D)  Continuous 
A)  Always-On 
B)  Real-Time 
C)  Scheduled 
D)  Continuous

What feature of Enterprise Security downloads threat intelligence data from a web server?

In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

What does the Security Posture dashboard display?

What are adaptive responses triggered by?

ES needs to be installed on a search head with which of the following options?

Which argument to the | tstats command restricts the search to summarized data only?

If a username does not match the 'identity' column in the identities list, which column is checked next?

"10.22.63.159", "websvr4", and "00:26:08:18: CF:1D" would be matched against what in ES?

Which data model populates the panels on the Risk Analysis dashboard?

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf ?

Which correlation search feature is used to throttle the creation of notable events?

How is notable event urgency calculated?

What should be used to map a non-standard field name to a CIM field name?

Where are attachments to investigations stored?

Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

Enterprise Security's dashboards primarily pull data from what type of knowledge object?

Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

Which settings indicates that the correlation search will be executed as new events are indexed?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk Core Certified Consultant

Filters

Exam 6: Splunk IT Service Intelligence Certified Admin

What feature of Enterprise Security downloads threat intelligence data from a web server?

In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

What does the Security Posture dashboard display?

What are adaptive responses triggered by?

ES needs to be installed on a search head with which of the following options?

Which argument to the | tstats command restricts the search to summarized data only?

If a username does not match the 'identity' column in the identities list, which column is checked next?

"10.22.63.159", "websvr4", and "00:26:08:18: CF:1D" would be matched against what in ES?

Which data model populates the panels on the Risk Analysis dashboard?

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf ?

Which correlation search feature is used to throttle the creation of notable events?

How is notable event urgency calculated?

What should be used to map a non-standard field name to a CIM field name?

Where are attachments to investigations stored?

Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

Enterprise Security's dashboards primarily pull data from what type of knowledge object?

Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

Which settings indicates that the correlation search will be executed as new events are indexed?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk Core Certified Consultant

Filters