SPLK-3001 Practice Exam — 98 Free Splunk Questions

Join Us Among the Stars

Sign Up & unlock 100% of Exam Questions

Log in / Sign up

No Strings Attached!

98Practice Questions

3Study Modes

Free

TopicSort

Question 1

Validating ES Data

In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?

A Save the settings.
B Apply the correct tags.
C Run the correct search.
D Visit the CIM dashboard.

Question 2

Threat Intelligence Framework

Question 3

Monitoring and Investigation

Question 4

Monitoring and Investigation

Question 5

Tuning Correlation Searches

Question 6

ES Deployment

Question 7

ES Deployment

Question 8

Installation and Configuration

Question 9

Monitoring and Investigation

Question 10

ES Deployment

Question 11

Creating Correlation Searches

Question 12

ES Deployment

Question 13

ES Deployment

Question 14

Monitoring and Investigation

Question 15

Monitoring and Investigation

Question 16

Threat Intelligence Framework

Question 17

Creating Correlation Searches

Question 18

Tuning Correlation Searches

Question 19

Lookups and Identity Management

Question 20

ES Introduction

Question 21

Custom Add-ons

Question 22

Lookups and Identity Management

Question 23

Validating ES Data

Question 24

Custom Add-ons

Question 25

Tuning Correlation Searches

Page 1 of 4 • Questions 1-25 of 98

1 2 3 4

→

Know a question that should be here? Contribute to this exam

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

A An urgency.
B A risk profile.
C An aggregation.
D A numeric score.

What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

A Configure -> Incident Management -> Notable Event Statuses
B Configure -> Content Management -> Type: Correlation Search
C Configure -> Incident Management -> Incident Review Settings -> Event Management
D Configure -> Incident Management -> Incident Review Settings -> Table Attributes

To observe what network services are in use in a network's activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

A Intrusion Center
B Protocol Analysis
C User Intelligence
D Threat Intelligence

Which of the following actions would not reduce the number of false positives from a correlation search?

A Reducing the severity.
B Removing throttling fields.
C Increasing the throttling window.
D Increasing threshold sensitivity.

Question 6

ES Deployment

Question 7

ES Deployment

Question 8

Installation and Configuration

Question 9

Monitoring and Investigation

Question 10

ES Deployment

Question 11

Creating Correlation Searches

Question 12

ES Deployment

Question 13

ES Deployment

Question 14

Monitoring and Investigation

Question 15

Monitoring and Investigation

Question 16

Threat Intelligence Framework

Question 17

Creating Correlation Searches

Question 18

Tuning Correlation Searches

Question 19

Lookups and Identity Management

Question 20

ES Introduction

Question 21

Custom Add-ons

Question 22

Lookups and Identity Management

Question 23

Validating ES Data

Question 24

Custom Add-ons

Question 25

Tuning Correlation Searches

An administrator is provisioning one search head prior to installing ES.
What are the reference minimum requirements for OS, CPU, and RAM for that machine?

A OS: 32 bit, RAM: 16 MB, CPU: 12 cores
B OS: 64 bit, RAM: 32 MB, CPU: 12 cores
C OS: 64 bit, RAM: 12 MB, CPU: 16 cores
D OS: 64 bit, RAM: 32 MB, CPU: 16 cores

What is the first step when preparing to install ES?

A Install ES.
B Determine the data sources used.
C Determine the hardware required.
D Determine the size and scope of installation.

At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?

A When adding apps to the deployment server.
B Splunk_TA_ForIndexers.spl is installed first.
C After installing ES on the search head(s) and running the distributed configuration management tool.
D Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

Which of the following are examples of sources for events in the endpoint security domain dashboards?

A REST API invocations.
B Investigation final results status.
C Workstations, notebooks, and point-of-sale systems.
D Lifecycle auditing of incidents, from assignment to resolution.

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?

A Indexers might crash.
B Indexers might be processing.
C Indexers might not be reachable.
D Indexers have different settings.

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

A $fieldname$
B ג€fieldnameג€
C fieldname
D fieldname

ES needs to be installed on a search head with which of the following options?

A No other apps.
B Any other apps installed.
C All apps removed except for TA-*.
D Only default built-in and CIM-compliant apps.

When ES content is exported, an app with a .spl extension is automatically created.
What is the best practice when exporting and importing updates to ES content?

A Use new app names each time content is exported.
B Do not use the .spl extension when naming an export.
C Always include existing and new content for each export.
D Either use new app names or always include both existing and new content.

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

A ess_user
B ess_admin
C ess_analyst
D ess_reviewer

Both Recommended Actions and Adaptive Response Actions use adaptive response. How do they differ?

A Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.
B Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.
C Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.
D Recommended Actions show a list of Adaptive Resposes to an analyst, Adaptive Response Actions run manually with analyst intervention.

What feature of Enterprise Security downloads threat intelligence data from a web server?

A Threat Service Manager
B Threat Download Manager
C Threat Intelligence Parser
D Threat Intelligence Enforcement

Which indexes are searched by default for CIM data models?

A notable and default
B summary and notable
C _internal and summary
D All indexes

Which argument to the | tstats command restricts the search to summarized data only?

A summaries=t
B summaries=all
C summariesonly=t
D summariesonly=all

Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?

A Administrative Identities
B Local User Intel
C Identities
D Privileged Accounts

Which of the following is a Web Intelligence dashboard?

A stream:http Protocol dashboard
B HTTP Category Analysis
C Network Center
D Endpoint Center

After managing source types and extracting fields, which key step comes next in the Add-On Builder?

A Configure data collection.
B Validate and package.
C Create alert actions.
D Map to data models.

A security manager has been working with the executive team on long-range security goals. A primary goal for the team is to improve managing user risk in the organization. Which of the following ES features can help identify users accessing inappropriate web sites?

A Make sure the Authentication data model contains up-to-date events and is properly accelerated.
B Configuring user and website watchlists so the User Activity dashboard will highlight unwanted user actions.
C Configuring the identities lookup with user details to enrich notable event information for forensic analysis.
D Use the Access Anomalies dashboard to identify unusual protocols being used to access corporate sites.

After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?

A Extracting Fields.
B Normalization to the Splunk Common Information Model.
C Normalization to Customer Standard.
D Applying Tags.

The Add-On Builder creates Splunk Apps that start with what?

A DA-
B SA-
C TA-
D App-

Which of the following actions can improve overall search performance?

A Disable indexed real-time search.
B Increase priority of all correlation searches.
C Reduce the frequency (schedule) of lower-priority correlation searches.
D Add notable event suppressions for correlation searches with high numbers of false positives.

Join Us Among the Stars

SPLK-3001Preview

About the SPLK-3001 Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25