SPLK-3001: Splunk Enterprise Security Certified Admin

Which of the following is an adaptive action that is configured by default for ES?

Create notable event
Create new correlation search
Create investigation
Create new asset

Correct answer: A

Which of the following are the default ports that must be configured for Splunk Enterprise Security to function?

SplunkWeb (8068), Splunk Management (8089), KV Store (8000)
SplunkWeb (8390), Splunk Management (8323), KV Store (8672)
SplunkWeb (8000), Splunk Management (8089), KV Store (8191)
SplunkWeb (8043), Splunk Management (8088), KV Store (8191)

Correct answer: C

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.1.2/Security/SecureSplunkonyournetwork

A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives.

Which of the following options is most likely to help performance?

Change the search heads to do local indexing of summary searches.
Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.
Increase memory and CPUs on the search head(s) and add additional indexers.
If indexed realtime search is enabled, disable it for the notable index.

Correct answer: C

What should be used to map a non-standard field name to a CIM field name?

Field alias.
Search time extraction.
Tag.
Eventtype.

Correct answer: A

Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

Security domains.
Threat intel.
Assets.
Domains.

Correct answer: B

Explanation:

Reference: https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Manageinternallookups

Which tool Is used to update indexers In E5?

Index Updater
Distributed Configuration Management
indexes.conf
Splunk_TA_ForIndexeres. spl

Correct answer: B

Which of the following actions may be necessary before installing ES?

Redirect distributed search connections.
Purge KV Store.
Add additional indexers.
Add additional forwarders.

Correct answer: C

Which of the following are examples of sources for events in the endpoint security domain dashboards?

REST API invocations.
Investigation final results status.
Workstations, notebooks, and point-of-sale systems.
Lifecycle auditing of incidents, from assignment to resolution.

Correct answer: C

Explanation:

Reference:https://docs.splunk.com/Documentation/ES/6.1.0/User/EndpointProtectionDomaindashboards

Reference:

https://docs.splunk.com/Documentation/ES/6.1.0/User/EndpointProtectionDomaindashboards

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

$fieldname$
"fieldname"
%fieldname%
_fieldname_

Correct answer: A

Explanation:

Reference: https://docs.splunk.com/Documentation/ITSI/4.4.2/Configure/Createcorrelationsearch

What feature of Enterprise Security downloads threat intelligence data from a web server?

Threat Service Manager
Threat Download Manager
Threat Intelligence Parser
Therat Intelligence Enforcement

Correct answer: B

Explanation:

"The Threat Intelligence Framework provides a modular input (Threat Intelligence Downloads) that handles the majority of configurations typically needed for downloading intelligence files & data. To access this modular input, you simply need to create a stanza in your Inputs.conf file called "threatlist"."