The Secret Of Splunk SPLK-3001 Testing Engine

NEW QUESTION 1
What does the Security Posture dashboard display?

• A. Active investigations and their status.
• B. A high-level overview of notable events.
• C. Current threats being tracked by the SOC.
• D. A display of the status of security tools.

Answer: B

Explanation:
The Security Posture dashboard is designed to provide high-level insight into the notable events across all domains of your deployment, suitable for display in a Security Operations Center (SOC). This dashboard shows all events from the past 24 hours, along with the trends over the past 24 hours, and provides real-time event information and updates.
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/SecurityPosturedashboard

NEW QUESTION 2
What tools does the Risk Analysis dashboard provide?

• A. High risk threats.
• B. Notable event domains displayed by risk score.
• C. A display of the highest risk assets and identities.
• D. Key indicators showing the highest probability correlation searches in the environment.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/RiskAnalysis

NEW QUESTION 3
A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

• A. Install ES on the existing search head.
• B. Add a new search head and install ES on it.
• C. Increase the number of CPUs and amount of memory on the search head, then install ES.
• D. Delete the non-CIM-compliant apps from the search head, then install ES.

Answer: B

Explanation:
Reference: https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

NEW QUESTION 4
Which of the following features can the Add-on Builder configure in a new add-on?

• A. Expire data.
• B. Normalize data.
• C. Summarize data.
• D. Translate data.

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/Overview

NEW QUESTION 5
An administrator is asked to configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

• A. Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup
• B. Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
• C. Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup
• D. Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

Answer: D

NEW QUESTION 6
If a username does not match the ‘identity’ column in the identities list, which column is checked next?

• A. Email.
• B. Nickname
• C. IP address.
• D. Combination of Last Name, First Name.

Answer: C

NEW QUESTION 7
What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

• A. Configure -> Incident Management -> Notable Event Statuses
• B. Configure -> Content Management -> Type: Correlation Search
• C. Configure -> Incident Management -> Incident Review Settings -> Event Management
• D. Configure -> Incident Management -> Incident Review Settings -> Table Attributes

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Customizenotables

NEW QUESTION 8
“10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against what in ES?

• A. A user.
• B. A device.
• C. An asset.
• D. An identity.

Answer: B

NEW QUESTION 9
Which correlation search feature is used to throttle the creation of notable events?

• A. Schedule priority.
• B. Window interval.
• C. Window duration.
• D. Schedule windows.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Configurecorrelationsearches

NEW QUESTION 10
Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

• A. A prefix of CIM_
• B. A suffix of .spl
• C. A prefix of TECH_
• D. A prefix of Splunk_TA_

Answer: D

Explanation:
Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/planintegrationes/

NEW QUESTION 11
What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

• A. 50 GB
• B. 100 GB
• C. 300 GB
• D. 500 MB

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.4.2/Install/Plan

NEW QUESTION 12
Which indexes are searched by default for CIM data models?

• A. notable and default
• B. summary and notable
• C. _internal and summary
• D. All indexes

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/600354/indexes-searched-by-cim-data-models.html

NEW QUESTION 13
Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?

• A. VIP
• B. Priority
• C. Importance
• D. Criticality

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 14
Which of the following actions can improve overall search performance?

• A. Disable indexed real-time search.
• B. Increase priority of all correlation searches.
• C. Reduce the frequency (schedule) of lower-priority correlation searches.
• D. Add notable event suppressions for correlation searches with high numbers of false positives.

Answer: A

NEW QUESTION 15
Enterprise Security’s dashboards primarily pull data from what type of knowledge object?

• A. Tstats
• B. KV Store
• C. Data models
• D. Dynamic lookups

Answer: C

Explanation:
Reference: https://docs.splunk.com/Splexicon:Knowledgeobject

NEW QUESTION 16
Which of the following are data models used by ES? (Choose all that apply)

• A. Web
• B. Anomalies
• C. Authentication
• D. Network Traffic

Answer: B

Explanation:
Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/datamodelsusedbyes/

NEW QUESTION 17
An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

• A. OS: 32 bit, RAM: 16 MB, CPU: 12 cores
• B. OS: 64 bit, RAM: 32 MB, CPU: 12 cores
• C. OS: 64 bit, RAM: 12 MB, CPU: 16 cores
• D. OS: 64 bit, RAM: 32 MB, CPU: 16 cores

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Capacity/Referencehardware

NEW QUESTION 18
Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

• A. thawedPath
• B. tstatsHomePath
• C. summaryHomePath
• D. warmToColdScript

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 19
How should an administrator add a new lookup through the ES app?

• A. Upload the lookup file in Settings -> Lookups -> Lookup Definitions
• B. Upload the lookup file in Settings -> Lookups -> Lookup table files
• C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
• D. Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Createlookups

NEW QUESTION 20
The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?

• A. Web
• B. Risk
• C. Performance
• D. Authentication

Answer: A

Explanation:
Reference: https://answers.splunk.com/answers/565482/how-to-resolve-skipped-scheduled-searches.html

NEW QUESTION 21
Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute
indexes.conf?

• A. Indexes might crash.
• B. Indexes might be processing.
• C. Indexes might not be reachable.
• D. Indexes have different settings.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf

NEW QUESTION 22
......