To observe what network services are in use in a network's activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?
AIntrusion Center
BProtocol Analysis
CUser Intelligence
DThreat Intelligence
Which of the following actions would not reduce the number of false positives from a correlation search?
AReducing the severity.
BRemoving throttling fields.
CIncreasing the throttling window.
DIncreasing threshold sensitivity.
An administrator is provisioning one search head prior to installing ES.
What are the reference minimum requirements for OS, CPU, and RAM for that machine?
AOS: 32 bit, RAM: 16 MB, CPU: 12 cores
BOS: 64 bit, RAM: 32 MB, CPU: 12 cores
COS: 64 bit, RAM: 12 MB, CPU: 16 cores
DOS: 64 bit, RAM: 32 MB, CPU: 16 cores
What is the first step when preparing to install ES?
AInstall ES.
BDetermine the data sources used.
CDetermine the hardware required.
DDetermine the size and scope of installation.
At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?
AWhen adding apps to the deployment server.
BSplunk_TA_ForIndexers.spl is installed first.
CAfter installing ES on the search head(s) and running the distributed configuration management tool.
DSplunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.
Which of the following are examples of sources for events in the endpoint security domain dashboards?
AREST API invocations.
BInvestigation final results status.
CWorkstations, notebooks, and point-of-sale systems.
DLifecycle auditing of incidents, from assignment to resolution.
Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?
AIndexers might crash.
BIndexers might be processing.
CIndexers might not be reachable.
DIndexers have different settings.
When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?
A$fieldname$
Bג€fieldnameג€
Cfieldname
Dfieldname
ES needs to be installed on a search head with which of the following options?
ANo other apps.
BAny other apps installed.
CAll apps removed except for TA-*.
DOnly default built-in and CIM-compliant apps.
When ES content is exported, an app with a .spl extension is automatically created.
What is the best practice when exporting and importing updates to ES content?
AUse new app names each time content is exported.
BDo not use the .spl extension when naming an export.
CAlways include existing and new content for each export.
DEither use new app names or always include both existing and new content.
What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?
Aess_user
Bess_admin
Cess_analyst
Dess_reviewer
Both Recommended Actions and Adaptive Response Actions use adaptive response. How do they differ?
ARecommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.
BRecommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.
CRecommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.
DRecommended Actions show a list of Adaptive Resposes to an analyst, Adaptive Response Actions run manually with analyst intervention.
What feature of Enterprise Security downloads threat intelligence data from a web server?
AThreat Service Manager
BThreat Download Manager
CThreat Intelligence Parser
DThreat Intelligence Enforcement
Which indexes are searched by default for CIM data models?
Anotable and default
Bsummary and notable
C_internal and summary
DAll indexes
Which argument to the | tstats command restricts the search to summarized data only?
Asummaries=t
Bsummaries=all
Csummariesonly=t
Dsummariesonly=all
Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?
AAdministrative Identities
BLocal User Intel
CIdentities
DPrivileged Accounts
Which of the following is a Web Intelligence dashboard?
Astream:http Protocol dashboard
BHTTP Category Analysis
CNetwork Center
DEndpoint Center
After managing source types and extracting fields, which key step comes next in the Add-On Builder?
AConfigure data collection.
BValidate and package.
CCreate alert actions.
DMap to data models.
A security manager has been working with the executive team on long-range security goals. A primary goal for the team is to improve managing user risk in the organization. Which of the following ES features can help identify users accessing inappropriate web sites?
AMake sure the Authentication data model contains up-to-date events and is properly accelerated.
BConfiguring user and website watchlists so the User Activity dashboard will highlight unwanted user actions.
CConfiguring the identities lookup with user details to enrich notable event information for forensic analysis.
DUse the Access Anomalies dashboard to identify unusual protocols being used to access corporate sites.
After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?
AExtracting Fields.
BNormalization to the Splunk Common Information Model.
CNormalization to Customer Standard.
DApplying Tags.
The Add-On Builder creates Splunk Apps that start with what?
ADA-
BSA-
CTA-
DApp-
Which of the following actions can improve overall search performance?
ADisable indexed real-time search.
BIncrease priority of all correlation searches.
CReduce the frequency (schedule) of lower-priority correlation searches.
DAdd notable event suppressions for correlation searches with high numbers of false positives.
Preview
