Splunk SPLK-3001 Splunk Enterprise Security Certified Admin Exam Exam Practice Test

To observe what network services are in use in a network’s activity overall, the Protocol Analysis dashboard in Enterprise Security will contain the most relevant data. The Protocol Analysis dashboard shows the network traffic data by protocol, such as TCP, UDP, ICMP, and others. You can use this dashboard to identify the most active protocols, the most active hosts, the most active ports, and the most active connections in your network. You can also filter the dashboard by protocol, host, port, or connection to narrow down your analysis. The Protocol Analysis dashboard uses the data from the Network Resolution (stream) data model, which requires the Splunk Stream app to collect network packet data1. References =

• Protocol Analysis dashboard - Splunk Documentation

The Security Posture dashboard displays a high-level overview of notable events across all domains of your deployment, suitable for display in a Security Operations Center (SOC). This dashboard shows all events from the past 24 hours, along with the trends over the past 24 hours, and provides real-time event information and updates. The dashboard consists of several panels that show key indicators, notable events by urgency, notable events over time, top notable events, and top notable event sources1. References =

• Security Posture dashboard - Splunk Documentation

 The role that should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard is the ess_analyst role. The ess_analyst role is a predefined role in Splunk Enterprise Security that grants the user the ability to view, edit, comment, and change the status and owner of notable events. The ess_analyst role also allows the user to access the dashboards, reports, and searches related to security analysis and investigation12. References = 1: Overview of roles and capabilities in Splunk Enterprise Security - Splunk Documentation - ess_analyst role. 2: Incident Review - Splunk Documentation - Triage notable events on the Incident Review dashboard.

 The Risk Analysis dashboard provides tools to analyze the risk scores and risk modifiers of various objects, such as systems, users, hashes, and network artifacts. The dashboard shows the risk score by object, the most active sources of risk, the risk score by category, the risk score over time, and the risk modifiers by object. The dashboard also allows you to create ad hoc risk entries, view the risk details of an object, and export the risk data as a CSV file. The other options, A, B, and D, are not correct. The Risk Analysis dashboard does not provide tools to show high risk threats, notable event domains, or key indicators of correlation searches. These are features of other dashboards in Splunk Enterprise Security, such as the Threat Activity dashboard, the Domain Analysis dashboard, and the Correlation Search Audit dashboard. References =

• Analyze risk in Splunk Enterprise Security
• Risk Analysis dashboard

The risk framework in Splunk Enterprise Security adds a numeric score to an object (user, server or other type) to indicate increased risk. The numeric score is calculated by summing up the risk scores of all the risk modifiers that are associated with the object. A risk modifier is an event that modifies the risk of an object, such as a malware infection, a failed login, or a suspicious activity. The risk score of a risk modifier is determined by the correlation search that triggers the risk analysis response action, which can be customized or created by the user12. The numeric score of an object reflects its overall risk level and can be used to prioritize investigation and response actions3. References = 1: Risk Analysis framework in Splunk ES - Splunk Documentation - Terminology for the Risk Analysis framework. 2: Risk Analysis framework in Splunk ES - Splunk Documentation - Write a correlation search. 3: About risk-based alerting in Splunk Enterprise Security - Splunk Documentation.

To navigate to the ES graphical Navigation Bar editor, you need to click the Configure menu in the ES app bar, then select General, and then select Navigation. The Navigation page allows you to customize the navigation bar of the ES app by adding, removing, or reordering the menu items. You can also edit the labels, icons, and links of the menu items. You can use the graphical editor to drag and drop the menu items, or you can edit the navigation XML directly. For more information, see Customize the navigation bar in Splunk Enterprise Security1. The other options, A, C, and D, are not correct. There is no Navigation Menu option under the Configure menu. The Settings menu does not allow you to edit the navigation bar of the ES app. The Settings menu only allows you to edit the navigation menus of the Splunk platform, such as the app launcher and the user menu. References =

• Customize the navigation bar in Splunk Enterprise Security

Design navigation graphs | Android Developers1

Design navigation graphs | Android Developers

According to the Splunk Enterprise Security documentation, the HTTP Category Analysis dashboard is one of the Web Intelligence dashboards that help you analyze web traffic in your network and identify notable HTTP categories, user agents, new domains, and long URLs. The dashboard shows the top HTTP categories by bytes, requests, and users, and allows you to filter the data by time range, category, user, and domain. The dashboard also provides drilldown links to other dashboards, such as the Web User Agent Analysis dashboard and the Web Domain Analysis dashboard, for further analysis. Therefore, the correct answer is C. HTTP Category Analysis. References = Web Intelligence dashboards.

When creating custom correlation searches, you can use the fieldname format to embed field values in the title, description, and drill-down fields of a notable event. This allows you to customize the notable event with dynamic information from the search results. For example, you can use src to include the source IP address of the event, or user to include the user name of the event1. References = 1: Create a correlation search - Splunk Documentation - Define the notable event.

According to the Splunk Enterprise Security documentation, the Protocol Intelligence dashboards are the dashboards that support the ability to view and analyze network Stream data. The Protocol Intelligence dashboards provide a summary of network traffic by protocol, such as TCP, UDP, ICMP, and others. They also show the top sources, destinations, ports, and applications for each protocol. The dashboards allow you to filter the data by time range, protocol, source, destination, port, and application. The dashboards also provide drilldown links to other dashboards, such as the Network Resolution dashboard and the Traffic Size Analysis dashboard, for further analysis. The Protocol Intelligence dashboards require the Splunk App for Stream and the Splunk Add-on for Stream to capture and parse network traffic data. Therefore, the correct answer is C. Protocol Intelligence dashboards. References = Protocol Intelligence dashboards.

Anomali ThreatStream App for Splunk | Splunkbase

 The point in the ES installation process when Splunk_TA_ForIndexes.spl should be deployed to the indexers is after installing ES on the search head(s) and running the distributed configuration management tool. Splunk_TA_ForIndexes.spl is a Splunk add-on that contains the index-time configurations for the data models used by ES. It is required to be installed on all indexers that receive data from ES data sources, such as network devices, endpoints, threat intelligence feeds, and so on. The recommended way to deploy Splunk_TA_ForIndexes.spl to the indexers is to use the distributed configuration management tool in ES, which is a feature that allows you to automatically distribute configuration files, such as indexes.conf, props.conf, and transforms.conf, to your Splunk platform instances. To use the distributed configuration management tool, you need to first install ES on the search head(s) and then run the tool from the ES menu bar. The tool will prompt you to select the configuration files that you want to deploy, including Splunk_TA_ForIndexes.spl, and the instances that you want to deploy them to, such as indexers, forwarders, or other search heads. The tool will also validate the configuration files and restart the instances as needed12. References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2: Install Splunk Enterprise Security - Splunk Documentation - Install the Splunk Add-on for Indexes.

 According to the Splunk Enterprise Security documentation, the best way to integrate a newly built custom dashboard to a team of security analysts in ES is to set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu. This will ensure that the dashboard is visible and accessible to the users with the es_analyst role, which is the default role for security analysts in ES. The navigation editor allows you to customize the menu bar of ES and add links to custom dashboards, reports, or other views. See Customize Splunk Enterprise Security dashboards to fit your use case and Customize the navigation bar for more details.

The other options are not recommended, because they either do not integrate the dashboard properly or they create unnecessary complexity. Adding links on the ES home page to the new dashboard is not a good option, because it does not integrate the dashboard into the menu bar and it may clutter the home page. Creating a new role inherited from es_analyst, making the dashboard permissions read-only, and making this dashboard the default view for the new role is not a good option, because it creates a redundant role and it may confuse the users who expect to see the Security Posture dashboard as the default view. Adding the dashboard to a custom add-in app and installing it to ES using the Content Manager is not a good option, because it requires creating and maintaining a separate app and it may cause conflicts or performance issues with ES. Therefore, the correct answer is C. Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu. References =

• Customize the navigation bar
• Roles and capabilities in Splunk Enterprise Security
• Content Management
• Customize Splunk Enterprise Security dashboards to fit your use case

How to Create Custom Dashboards and Alerts to Achi ... - Splunk Community

According to the Splunk Enterprise Security documentation, the default schedule for accelerating ES data models is every 5 minutes. This means that the data model acceleration searches run every 5 minutes to summarize the newly indexed data and store the results in the tsidx files. The 5-minute schedule is recommended for most use cases, as it provides a balance between search performance and resource consumption. However, you can change the schedule of a data model acceleration search in the Content Management page of Splunk Enterprise Security, if needed. See Configure data models for Splunk Enterprise Security for more details. References = Configure data models for Splunk Enterprise Security.

A key feature of a glass table is customization. A glass table is a dashboard that allows you to create dynamic and interactive visualizations of your security data. You can customize a glass table by adding static images and text, the results of ad-hoc searches, and security metrics that show the values of KPIs, service health scores, or notable events. You can also configure the appearance, behavior, and drilldown options of the glass table elements. A glass table is not rigid, but flexible and adaptable to your security needs. A glass table is not designed for interactive investigations, but for high-level monitoring and analysis. A glass table does not store data for later retrieval, but shows real-time data generated by KPIs and services. References =

• Create and manage glass tables in Splunk Enterprise Security
• Add security metrics to a glass table in Splunk Enterprise Security

 A prefix of Splunk_TA_ would allow an add-on to be automatically imported into Splunk Enterprise Security. Splunk Enterprise Security uses a naming convention to identify and import add-ons that are compatible with the Common Information Model (CIM). Add-ons that start with Splunk_TA_ are automatically imported into Splunk Enterprise Security and mapped to the appropriate data models. Add-ons that do not follow this naming convention must be manually imported and configured in Splunk Enterprise Security1. A prefix of CIM_ or TECH_ does not indicate an add-on that can be automatically imported. A suffix of .spl is the file extension for Splunk apps and add-ons, but it does not guarantee that they are compatible with Splunk Enterprise Security. References =

• Import add-ons into Splunk Enterprise Security

 The Threat Download Manager is a feature of Splunk Enterprise Security that downloads threat intelligence data from a web server. The Threat Download Manager is a modular input that runs on a schedule and fetches threat intelligence data from various sources, such as STIX/TAXII servers, RSS feeds, or custom URLs. The Threat Download Manager then passes the downloaded data to the Threat Intelligence Parser for further processing12. References = 1: Add threat intelligence to Splunk Enterprise Security - Splunk Documentation - Configure the threat intelligence sources included with Splunk Enterprise Security. 2: Using threat intelligence in Splunk Enterprise Security - Splunk Lantern - Where do I get threat intelligence?

According to the Splunk Enterprise Security Admin documentation, the minimum hardware requirements for a dedicated search head running ES are as follows: OS: 64 bit, RAM: 32 GB, CPU: 16 cores. These requirements are based on the assumption that the search head is not performing any other tasks besides running ES. The documentation also recommends having at least 500 GB of disk space for the search head. References = Splunk Enterprise Security Admin documentation

The endpoint security domain dashboards in Splunk Enterprise Security display endpoint data relating to malware infections, patch history, system configurations, and time synchronization information. The sources for events in the endpoint security domain dashboards are the devices that are considered endpoints in your network, such as workstations, notebooks, and point-of-sale systems1. References = 1: Introduction to the dashboards available in Splunk Enterprise Security - Endpoint domain dashboards.

According to the Splunk Lantern article on Managing data models in Enterprise Security, accelerated data requires approximately 3.4 times the daily data volume of additional storage space per year1. This means that if the daily input volume is 100 GB, the accelerated data model storage per year would be 100 GB x 3.4 = 340 GB. This estimate may vary depending on the data model configuration, the data retention policy, and the indexer cluster replication factor. References =

• Managing data models in Enterprise Security

Splunk Enterprise Security requires a dedicated search head with no other apps installed. This is because ES is a resource-intensive application that may cause performance issues and conflicts with other apps. Installing ES on a search head with other apps may also result in data loss or corruption. Therefore, it is recommended to install ES on a clean search head with only the default built-in apps and the Common Information Model (CIM) app. The CIM app is a prerequisite for ES and provides a common language for describing data across domains and technologies. The other options, B, C, and D, are not correct. Installing ES on a search head with any other apps, including TA-* or CIM-compliant apps, is not supported and may cause problems. References =

• Install Splunk Enterprise Security
• Splunk Enterprise Security Installation and Upgrade Manual

Detailed information about identities, such as user names, email addresses, phone numbers, and roles, is stored in the Identity Lookup CSV file in Splunk Enterprise Security. The Identity Lookup CSV file is a lookup file that contains the identity data that is collected and extracted from various data sources, such as Active Directory, LDAP, or custom identity lists. The Identity Lookup CSV file is used to enrich events with identity information and generate notable events based on identity correlation searches. You can view and manage the Identity Lookup CSV file using the Asset and Identity Management page in Splunk Enterprise Security. References =

• Manage assets and identities in Splunk Enterprise Security
• Identity Lookup CSV file

A correlation search is a scheduled search that runs periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. A correlation search can generate false positives, which are notable events that do not represent a real security incident or threat. False positives can create noise and reduce the efficiency and accuracy of the security analysis. To reduce false positives from a correlation search, you can modify the correlation schedule and sensitivity for your site. The correlation schedule determines how often the correlation search runs and over what time range. The sensitivity determines the threshold or limit for the search conditions to trigger a notable event. By adjusting the correlation schedule and sensitivity, you can fine-tune the correlation search to match your environment and data sources, and avoid generating notable events for normal or benign activities. You can modify the correlation schedule and sensitivity for a correlation search using the Content Management page in Splunk Enterprise Security. References =

• Modify the correlation schedule and sensitivity for your site
• Correlation search overview for Splunk Enterprise Security

Dealing with Security False Positives in Splunk (Enterprise Security ...2

Upping the Auditing Game for Correlation Searches Within ... - Splunk

According to the Splunk Enterprise Security documentation, threat gen searches are searches that generate synthetic events in the threat activity index to simulate security threats. Threat gen searches are useful for testing and validating the correlation searches, notable events, and adaptive response actions in Splunk Enterprise Security. Threat gen searches produce events in the threat activity index, which is a dedicated index for storing the synthetic events. The events in the threat activity index have the sourcetype of threatgen and the tag of threat. You can use the Threat Activity dashboard to view and analyze the events in the threat activity index. See Threat gen searches for more details.

The other options are not correct, because threat gen searches do not produce them. Threat gen searches do not produce threat intel in KV Store collections, which are key-value pairs of data that store and manage threat intelligence in Splunk Enterprise Security. Threat gen searches do not produce threat correlation searches, which are searches that correlate events with threat intelligence and generate notable events in Splunk Enterprise Security. Threat gen searches do not produce threat notables in the notable index, which are alerts or tasks that indicate potential security incidents or threats in Splunk Enterprise Security. Therefore, the correct answer is D. Events in the threat activity index. References = Threat gen searches.

Upping the Auditing Game for Correlation Searches Within ... - Splunk

 ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to the $SPLUNK_HOME/etc/shcluster/apps location on the cluster deployer instance. This is the directory where the deployer stores the configuration bundle that it distributes to the search head cluster members. The configuration bundle consists of apps and other configuration files that are not replicated by the cluster. The deployer does not use the $SPLUNK_HOME/etc/master-apps/ directory, which is used by the master node in an indexer cluster. The deployer does not use the $SPLUNK_HOME/etc/system/local/ directory, which is used to store local configuration files for the deployer instance itself. The deployer does not use the $SPLUNK_HOME/var/run/searchpeers/ directory, which is used by the search head to store information about the indexer cluster peers. References =

• Use the deployer to distribute apps and configuration updates - Splunk Documentation
• Install Splunk Enterprise Security in a search head cluster environment - Splunk Documentation

Data integrity control is a feature of Splunk Enterprise that helps you verify the integrity of data that it indexes. When you enable data integrity control for an index, Splunk Enterprise computes hashes on every slice of data using the SHA-256 algorithm. It then stores those hashes so that you can verify the integrity of your data later. This feature prevents data tampering and ensures that the data is trustworthy and reliable. Therefore, the correct answer is B. Data integrity control. References = Manage data integrity - Splunk Documentation.

 The Remote Access panel within the User Activity dashboard is based on the Authentication data model, which contains information about authentication events from various sources, such as VPN, SSH, RDP, and others. The Authentication data model is accelerated by default, which means that it generates summary data to speed up searches. However, if the summary data is not up to date, the dashboard panel may not show the most recent data. This can happen if the data model acceleration search is skipped, disabled, or encountering errors12. To check the status of the data model acceleration, you can use the Data Model Audit dashboard in the Monitoring Console3 or the | datamodel command in the Search app4. References = 1: User Activity Monitoring - Splunk Documentation - Remote Access. 2: About data model acceleration - Splunk Documentation. 3: Use the Data Model Audit dashboard - Splunk Documentation. 4: datamodel - Splunk Documentation.

Splunk Enterprise Security supports downloading threat intelligence from STIX/TAXII servers. STIX is a structured language for describing cyber threat information, and TAXII is a protocol for exchanging STIX data. Splunk Enterprise Security can download STIX/TAXII feeds from any server that supports the TAXII 1.1 specification and the STIX 1.1.1 or 1.2 specification. Splunk Enterprise Security does not support downloading threat intelligence from text, VulnScanSPL, or Splunk Enterprise Threat Generator sources. References = Add threat intelligence to Splunk Enterprise Security, Upload a STIX or OpenIOC structured threat intelligence file

The correct answer is B. Normalize data. The Add-on Builder can configure a new add-on to normalize data by mapping the data fields to the Common Information Model (CIM). The CIM provides a common language for describing data across domains and technologies. Normalizing data enables the data to be used by other Splunk apps, such as Splunk Enterprise Security and Splunk IT Service Intelligence. The Add-on Builder can also configure other features in a new add-on, such as collecting data from various sources, extracting fields from the data, creating alert actions and adaptive response actions, and testing and validating the add-on. However, the Add-on Builder cannot configure an add-on to expire data, summarize data, or translate data. These are not features of the Add-on Builder. References =

• Splunk Add-on Builder
• [Use the Common Information Model in Splunk Web]

 According to the Splunk Enterprise Security documentation, only users with the ess_admin role or the Manage All Investigations capability can delete an investigation. The investigation owner and collaborators can edit the investigation, but not delete it. Therefore, the correct answer is A. ess_admin users only. References = Manage investigations in Splunk Enterprise Security

 “10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against an asset in ES. An asset is a device on a network that can be identified by an IP address, MAC address, DNS name, or other attributes. ES uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to the data1. The asset fields that ES can match include ip, mac, nt_host, dns, and others2. An identity is a user account that can be identified by a username, email address, phone number, or other attributes. An identity is not the same as an asset, although an identity can be associated with an asset1. References =

• Add asset and identity data to Splunk Enterprise Security
• Asset and identity fields in Splunk Enterprise Security