The Leading Guide To SPLK-3001 Testing Engine

NEW QUESTION 1
Where is the Add-On Builder available from?

• A. GitHub
• B. SplunkBase
• C. www.splunk.com
• D. The ES installation package

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/Installation

NEW QUESTION 2
What tools does the Risk Analysis dashboard provide?

• A. High risk threats.
• B. Notable event domains displayed by risk score.
• C. A display of the highest risk assets and identities.
• D. Key indicators showing the highest probability correlation searches in the environment.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/RiskAnalysis

NEW QUESTION 3
How should an administrator add a new lookup through the ES app?

• A. Upload the lookup file in Settings -> Lookups -> Lookup Definitions
• B. Upload the lookup file in Settings -> Lookups -> Lookup table files
• C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
• D. Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Createlookups

NEW QUESTION 4
Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute
indexes.conf?

• A. Indexes might crash.
• B. Indexes might be processing.
• C. Indexes might not be reachable.
• D. Indexes have different settings.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf

NEW QUESTION 5
Where are attachments to investigations stored?

• A. KV Store
• B. notable index
• C. attachments.csv lookup
• D. <splunk_home>/etc/apps/SA-Investigations/default/ui/views/attachments

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

NEW QUESTION 6
Which component normalizes events?

• A. SA-CIM.
• B. SA-Notable.
• C. ES application.
• D. Technology add-on.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

NEW QUESTION 7
Who can delete an investigation?

• A. ess_admin users only.
• B. The investigation owner only.
• C. The investigation owner and ess-admin.
• D. The investigation owner and collaborators.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

NEW QUESTION 8
Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?

• A. VIP
• B. Priority
• C. Importance
• D. Criticality

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 9
How is it possible to navigate to the list of currently-enabled ES correlation searches?

• A. Configure -> Correlation Searches -> Select Status “Enabled”
• B. Settings -> Searches, Reports, and Alerts -> Filter by Name of “Correlation”
• C. Configure -> Content Management -> Select Type “Correlation” and Status “Enabled”
• D. Settings -> Searches, Reports, and Alerts -> Select App of “SplunkEnterpriseSecuritySuite” and filter by “-Rule”

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Listcorrelationsearches

NEW QUESTION 10
What is the first step when preparing to install ES?

• A. Install ES.
• B. Determine the data sources used.
• C. Determine the hardware required.
• D. Determine the size and scope of installation.

Answer: D

NEW QUESTION 11
Where is it possible to export content, such as correlation searches, from ES?

• A. Content exporter
• B. Configure -> Content Management
• C. Export content dashboard
• D. Settings Menu -> ES -> Export

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Export

NEW QUESTION 12
Which of the following is a key feature of a glass table?

• A. Rigidity.
• B. Customization.
• C. Interactive investigations.
• D. Strong data for later retrieval.

Answer: B

NEW QUESTION 13
After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

• A. Splunk_DS_ForIndexers.spl
• B. Splunk_ES_ForIndexers.spl
• C. Splunk_SA_ForIndexers.spl
• D. Splunk_TA_ForIndexers.spl

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallTechnologyAdd-ons

NEW QUESTION 14
An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

• A. Index consistency.
• B. Data integrity control.
• C. Indexer acknowledgement.
• D. Index access permissions.

Answer: B

Explanation:
Reference: https://answers.splunk.com/answers/790783/anti-tampering-features-to-protect-splunk-logs-the.html

NEW QUESTION 15
An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

• A. OS: 32 bit, RAM: 16 MB, CPU: 12 cores
• B. OS: 64 bit, RAM: 32 MB, CPU: 12 cores
• C. OS: 64 bit, RAM: 12 MB, CPU: 16 cores
• D. OS: 64 bit, RAM: 32 MB, CPU: 16 cores

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Capacity/Referencehardware

NEW QUESTION 16
How is notable event urgency calculated?

• A. Asset priority and threat weight.
• B. Alert severity found by the correlation search.
• C. Asset or identity risk and severity found by the correlation search.
• D. Severity set by the correlation search and priority assigned to the associated asset or identity.

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 17
Which of the following threat intelligence types can ES download? (Choose all that apply)

• A. Text
• B. STIX/TAXII
• C. VulnScanSPL
• D. SplunkEnterpriseThreatGenerator

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Downloadthreatfeed

NEW QUESTION 18
Which of the following is a way to test for a property normalized data model?

• A. Use Audit -> Normalization Audit and check the Errors panel.
• B. Run a | datamodel search, compare results to the CIM documentation for the datamodel.
• C. Run a | loadjob search, look at tag values and compare them to known tags based on the encoding.
• D. Run a | datamodel search and compare the results to the list of data models in the ES normalization guide.

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

NEW QUESTION 19
The Add-On Builder creates Splunk Apps that start with what?

• A. DA-
• B. SA-
• C. TA-
• D. App-

Answer: C

Explanation:
Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/abouttheessolution/

NEW QUESTION 20
What is the default schedule for accelerating ES Datamodels?

• A. 1 minute
• B. 5 minutes
• C. 15 minutes
• D. 1 hour

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 21
A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

• A. Install ES on the existing search head.
• B. Add a new search head and install ES on it.
• C. Increase the number of CPUs and amount of memory on the search head, then install ES.
• D. Delete the non-CIM-compliant apps from the search head, then install ES.

Answer: B

Explanation:
Reference: https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

NEW QUESTION 22
......