Splunk SPLK-3001 Splunk Enterprise Security Certified Admin Exam Exam Practice Test

A technology add-on (TA) is a Splunk app that contains the configurations for ingesting and normalizing data from a specific data source or vendor. A TA can include sourcetype definitions, index-time and search-time field extractions, event types, tags, lookups, and other settings that help to map the data to the Splunk Common Information Model (CIM). The CIM is a set of predefined data models that provide a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. Therefore, the correct answer is D. Technology add-on. References =

• Technology add-ons overview
• Splunk Common Information Model Add-on
• Normalizing Enterprise Security data with technology add-ons

Onboarding data to Splunk Enterprise Security

After installing the add-ons necessary for normalizing data, you should configure the add-ons according to their README or documentation. The add-ons that are included in the Splunk Enterprise Security package are preconfigured and do not require additional steps. However, the add-ons that are downloaded separately from Splunkbase may require additional configuration steps, such as enabling inputs, setting up credentials, or modifying props and transforms. You should review the README or documentation for each add-on to determine the specific configuration requirements and follow the instructions accordingly. References =

• Deploy add-ons to Splunk Enterprise Security
• About installing Splunk add-ons

 ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to the $SPLUNK_HOME/etc/shcluster/apps location on the cluster deployer instance. This is the directory where the deployer stores the configuration bundle that it distributes to the search head cluster members. The configuration bundle consists of apps and other configuration files that are not replicated by the cluster. The deployer does not use the $SPLUNK_HOME/etc/master-apps/ directory, which is used by the master node in an indexer cluster. The deployer does not use the $SPLUNK_HOME/etc/system/local/ directory, which is used to store local configuration files for the deployer instance itself. The deployer does not use the $SPLUNK_HOME/var/run/searchpeers/ directory, which is used by the search head to store information about the indexer cluster peers. References =

• Use the deployer to distribute apps and configuration updates - Splunk Documentation
• Install Splunk Enterprise Security in a search head cluster environment - Splunk Documentation

A key feature of a glass table is customization. A glass table is a dashboard that allows you to create dynamic and interactive visualizations of your security data. You can customize a glass table by adding static images and text, the results of ad-hoc searches, and security metrics that show the values of KPIs, service health scores, or notable events. You can also configure the appearance, behavior, and drilldown options of the glass table elements. A glass table is not rigid, but flexible and adaptable to your security needs. A glass table is not designed for interactive investigations, but for high-level monitoring and analysis. A glass table does not store data for later retrieval, but shows real-time data generated by KPIs and services. References =

• Create and manage glass tables in Splunk Enterprise Security
• Add security metrics to a glass table in Splunk Enterprise Security

To observe what network services are in use in a network’s activity overall, the Protocol Analysis dashboard in Enterprise Security will contain the most relevant data. The Protocol Analysis dashboard shows the network traffic data by protocol, such as TCP, UDP, ICMP, and others. You can use this dashboard to identify the most active protocols, the most active hosts, the most active ports, and the most active connections in your network. You can also filter the dashboard by protocol, host, port, or connection to narrow down your analysis. The Protocol Analysis dashboard uses the data from the Network Resolution (stream) data model, which requires the Splunk Stream app to collect network packet data1. References =

• Protocol Analysis dashboard - Splunk Documentation

 The urgency of a notable event is a value that indicates how important or urgent the event is for investigation and response. The urgency of a notable event is determined by two fields: the priority and the severity. The priority is a value that is assigned to an asset or an identity based on how critical or valuable it is for the organization. The priority can be unknown, low, medium, high, or critical. The severity is a value that is assigned to a notable event based on how serious or harmful the event is for the security posture. The severity can be unknown, informational, low, medium, high, or critical. The urgency of a notable event is calculated by combining the priority and the severity values using a lookup table called urgency_lookup. The urgency can be informational, low, medium, high, or critical. You can use the urgency field to prioritize the investigation of notable events in Splunk Enterprise Security. References =

• How urgency is assigned to notable events in Splunk Enterprise Security
• Priority and severity in Splunk Enterprise Security

Correlation searches are scheduled searches that run in Splunk Enterprise Security to detect security incidents or other notable events. They can consume a lot of resources and affect the overall search performance. To improve the search performance, you can do the following actions:

• Reduce the frequency (schedule) of lower-priority correlation searches. This will reduce the number of searches that run concurrently and free up some resources for other searches. You can edit the schedule of a correlation search in the Content Management page of Splunk Enterprise Security. See Edit a correlation search in Splunk Enterprise Security for more details.
• Add notable event suppressions for correlation searches with high numbers of false positives. This will prevent the correlation search from generating notable events that are not relevant or actionable, and reduce the load on the Notable Event Framework. You can add suppression rules for a correlation search in the Content Management page of Splunk Enterprise Security. See Suppress notable events in Splunk Enterprise Security for more details.

The other two actions are not recommended, because they can have negative effects on the search performance or the security posture. Disabling indexed real-time search can cause some dashboards and panels to not display data correctly, and increasing the priority of all correlation searches can cause resource contention and degrade the performance of other searches. See Optimize Splunk Enterprise for peak performance and How search types affect Splunk Enterprise performance for more information. References =

• Edit a correlation search in Splunk Enterprise Security
• Suppress notable events in Splunk Enterprise Security
• Optimize Splunk Enterprise for peak performance
• How search types affect Splunk Enterprise performance

The Status Configuration window in Splunk Enterprise Security allows you to manage and customize the investigation statuses and the status transitions for notable events. You can specify which roles can change the status of a notable event from one status to another. For example, you can restrict the ess_user role from changing the status of Resolved notable events to Closed by removing the ess_user role from the status transitions for the Closed status. This way, only the roles that have the permission to change the status to Closed can close the Resolved notable events. References =

• Manage and customize investigation statuses in Splunk Enterprise Security

A correlation search is a scheduled search that runs periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. A correlation search can generate false positives, which are notable events that do not represent a real security incident or threat. False positives can create noise and reduce the efficiency and accuracy of the security analysis. To reduce false positives from a correlation search, you can modify the correlation schedule and sensitivity for your site. The correlation schedule determines how often the correlation search runs and over what time range. The sensitivity determines the threshold or limit for the search conditions to trigger a notable event. By adjusting the correlation schedule and sensitivity, you can fine-tune the correlation search to match your environment and data sources, and avoid generating notable events for normal or benign activities. You can modify the correlation schedule and sensitivity for a correlation search using the Content Management page in Splunk Enterprise Security. References =

• Modify the correlation schedule and sensitivity for your site
• Correlation search overview for Splunk Enterprise Security

Dealing with Security False Positives in Splunk (Enterprise Security ...2

Upping the Auditing Game for Correlation Searches Within ... - Splunk

 According to the Splunk Enterprise Security documentation, the Create Notable Event adaptive response action is one of the included adaptive response actions that is configured by default for ES. This action allows you to create a notable event from the results of a correlation search or from the details of another notable event. You can customize the title, description, urgency, owner, and other fields of the notable event. The Create Notable Event action is useful for creating alerts or tasks based on specific conditions or criteria. Therefore, the correct answer is A. Create notable event. References = Create Notable Event.

 To configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard, the administrator would take the following steps:

• On the Splunk Enterprise Security menu bar, click Configure > Content > Content Management.
• Filter the content by Type: Correlation Search and select the correlation search that you want to add the Nslookup action to.
• Click Edit and go to the Notable tab.
• Under Recommended Actions, click Add New Action and select Nslookup from the drop-down menu.
• Enter the required fields for the Nslookup action, such as the host field, the DNS server, and the output index.
• Click Save to save the changes to the correlation search.
• The Nslookup action will now appear as an option in the notable event’s action menu on the Incident Review dashboard. References =
• Set up Adaptive Response actions in Splunk Enterprise Security
• Included adaptive response actions with Splunk Enterprise Security

 This is because ES is a resource-intensive application that requires a dedicated search head with sufficient CPU and memory. Installing ES on the existing search head may cause performance issues and conflicts with other applications. Deleting the non-CIM-compliant apps from the search head is not recommended, as they are mission-critical for the site. Increasing the number of CPUs and amount of memory on the search head may not be enough to handle the load of ES and other applications. Therefore, option B is the most suitable answer. You can find more information about installing ES on this web page1.

Detailed information about identities, such as user names, email addresses, phone numbers, and roles, is stored in the Identity Lookup CSV file in Splunk Enterprise Security. The Identity Lookup CSV file is a lookup file that contains the identity data that is collected and extracted from various data sources, such as Active Directory, LDAP, or custom identity lists. The Identity Lookup CSV file is used to enrich events with identity information and generate notable events based on identity correlation searches. You can view and manage the Identity Lookup CSV file using the Asset and Identity Management page in Splunk Enterprise Security. References =

• Manage assets and identities in Splunk Enterprise Security
• Identity Lookup CSV file

Splunk Enterprise Security requires a dedicated search head with no other apps installed. This is because ES is a resource-intensive application that may cause performance issues and conflicts with other apps. Installing ES on a search head with other apps may also result in data loss or corruption. Therefore, it is recommended to install ES on a clean search head with only the default built-in apps and the Common Information Model (CIM) app. The CIM app is a prerequisite for ES and provides a common language for describing data across domains and technologies. The other options, B, C, and D, are not correct. Installing ES on a search head with any other apps, including TA-* or CIM-compliant apps, is not supported and may cause problems. References =

• Install Splunk Enterprise Security
• Splunk Enterprise Security Installation and Upgrade Manual

Recommended Actions show a list of Adaptive Responses to an analyst, which are possible actions that can be taken in response to a notable event. Adaptive Response Actions run automatically when a correlation search triggers a notable event, and can perform actions such as sending an email, adding a comment, or modifying a risk score. Recommended Actions are configured in the correlation search editor, while Adaptive Response Actions are configured in the alert actions manager. References =

• Included adaptive response actions with Splunk Enterprise Security
• Set up Adaptive Response actions in Splunk Enterprise Security
• Configure adaptive response actions for a correlation search in Splunk Enterprise Security

 You can export content from Splunk Enterprise Security as an app from the Content Management page. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. The Content Management page allows you to view, edit, enable, disable, and export content in Splunk Enterprise Security. You can also import content from other ES instances or from the Splunk Security Essentials app. References =

• Export content from Splunk Enterprise Security as an app
• Content Management

 The Remote Access panel within the User Activity dashboard is based on the Authentication data model, which contains information about authentication events from various sources, such as VPN, SSH, RDP, and others. The Authentication data model is accelerated by default, which means that it generates summary data to speed up searches. However, if the summary data is not up to date, the dashboard panel may not show the most recent data. This can happen if the data model acceleration search is skipped, disabled, or encountering errors12. To check the status of the data model acceleration, you can use the Data Model Audit dashboard in the Monitoring Console3 or the | datamodel command in the Search app4. References = 1: User Activity Monitoring - Splunk Documentation - Remote Access. 2: About data model acceleration - Splunk Documentation. 3: Use the Data Model Audit dashboard - Splunk Documentation. 4: datamodel - Splunk Documentation.

The Risk Analysis dashboard uses the Risk data model to populate the panels. The Risk data model is a data model that contains information about the risk scores and risk modifiers of various objects, such as systems, users, hashes, and network artifacts. The Risk data model accelerates these fields for the Risk Analysis and Incident Review dashboards. The Risk data model also handles case insensitive asset and identity correlation, allowing risk modifiers that are applied to system or user name variants to be correctly attributed to the same risk_object1. The other options, B, C, and D, are not correct. The Audit data model contains information about audit events, such as user logins, password changes, and system access. The Domain Analysis data model contains information about the domains that are visited by the systems in the network. The Threat Intelligence data model contains information about the threat intelligence sources, indicators, and matches. References =

• Risk Analysis dashboard
• Risk data model
• Risk Analysis framework

 According to the Splunk Enterprise Security documentation, the option to create a Short ID for a notable event is located in the Event Details section of the notable event. The Event Details section shows the basic information about the notable event, such as title, description, urgency, owner, status, and others. It also provides a link to Create Short ID, which generates a 6-digit alphanumeric code that can be used to identify and share the notable event. The Short ID is appended to the URL of the Incident Review dashboard and can be used to filter the notable events by the Short ID field. See Manually create a notable event in Splunk Enterprise Security for more details. Therefore, the correct answer is B. The Event Details. References = Manually create a notable event in Splunk Enterprise Security.

The setting that is used in indexes.conf to specify alternate locations for accelerated storage is tstatsHomePath. Accelerated storage is the location where Splunk Enterprise stores the summary data for accelerated data models and reports. By default, acceleration storage is allocated in the same location as the index containing the raw events being accelerated. However, if you need to specify alternate locations for your accelerated storage, you can use the tstatsHomePath setting in indexes.conf. This setting allows you to define a different path for the summary data, which can improve the performance and efficiency of the data model acceleration. For example, you can set the tstatsHomePath to a faster disk or a different volume than the index homePath12. References = 1: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list. 2: indexes.conf - Splunk Documentation - tstatsHomePath.

The ES application should be uploaded to the search head, which is the component that runs the ES user interface and executes the searches, alerts, and reports. The search head should be dedicated to ES and not run any other applications. The indexer is the component that indexes the data and stores it in buckets. The KV Store is a feature that stores and manages data as key-value pairs. The dedicated forwarder is a component that collects data from various sources and forwards it to the indexer. None of these components can run the ES application. References =

• [Install Splunk Enterprise Security]
• [Splunk Enterprise architecture]

The value in the red box is an IP address rating. This is a numerical value that represents the risk associated with an IP address. The higher the value, the higher the risk. This value is calculated based on the number of security events associated with the IP address, the severity of those events, and the time since the last event. References:

• Administering Splunk Enterprise Security
• Splunk Enterprise security Admin
• IP Intelligence

 To add a new column to the Notable Event table in the Incident Review dashboard, you need to follow these steps:

• On the Splunk Enterprise Security menu bar, click Configure > Incident Management > Incident Review Settings.
• On the Incident Review Settings page, click the Table Attributes tab.
• On the Table Attributes tab, click Add New Attribute.
• Enter the name of the attribute that you want to add as a column, such as src or dest. The name must match the field name in the notable event data model.
• Enter a label for the attribute that will appear as the column header, such as Source or Destination.
• Enter a description for the attribute that will appear as a tooltip when you hover over the column header.
• Select the data type for the attribute, such as string or number.
• Select the visibility for the attribute, such as visible or hidden.
• Click Save to save the new attribute.
• Refresh the Incident Review dashboard to see the new column in the Notable Event table. References =
• Add custom columns to the Incident Review dashboard in Splunk Enterprise Security

Removing throttling fields would not reduce the number of false positives from a correlation search. Throttling fields are the fields that are used to group events and suppress duplicate alerts. For example, if you use src and dest as throttling fields, then the correlation search will only generate one alert per unique pair of src and dest values within the throttling window. This can help reduce the number of false positives by avoiding repeated alerts for the same issue. Removing throttling fields would increase the number of alerts generated by the correlation search, which could include more false positives. The other actions could help reduce the number of false positives by making the correlation search less sensitive or less frequent. Reducing the severity would lower the priority of the alerts and make them less visible. Increasing the throttling window would increase the time interval between alerts for the same issue. Increasing threshold sensitivity would make the correlation search more selective and require more evidence to trigger an alert. References =

• Configure correlation searches in Splunk Enterprise Security
• Optimizing correlation searches in Enterprise Security

 The role that should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard is the ess_analyst role. The ess_analyst role is a predefined role in Splunk Enterprise Security that grants the user the ability to view, edit, comment, and change the status and owner of notable events. The ess_analyst role also allows the user to access the dashboards, reports, and searches related to security analysis and investigation12. References = 1: Overview of roles and capabilities in Splunk Enterprise Security - Splunk Documentation - ess_analyst role. 2: Incident Review - Splunk Documentation - Triage notable events on the Incident Review dashboard.

The priority column in the asset or identity list is combined with the event severity to make a notable event’s urgency in Splunk Enterprise Security. The urgency is a measure of how important it is to address a notable event, and it is calculated based on a matrix that maps the priority of the asset or identity involved in the event and the severity of the event. The urgency can be one of the following values: low, medium, high, or critical12. For example, by default, medium, high, and critical priority, combined with critical severity, will generate a critical urgency ranking3. References = 1: Incident Review - Splunk Documentation - Urgency. 2: Configure notable event urgency - Splunk Documentation. 3: Solved: Splunk Enterprise Security: Is there a way to forc… - Splunk Community.

In order to include an eventtype in a data model node, you need to apply the correct tags to the eventtype. Tags are labels that you can assign to event types to identify them as belonging to a specific category or domain. Tags are used by data models to map event types to data model nodes. For example, if you have an eventtype named windows_performance that contains events related to Windows performance metrics, you can tag it with performance and os. Then, you can include the eventtype in a data model node that matches those tags, such as the Performance node in the Operating System data model12. To apply tags to an eventtype, you can use the Settings > Event types page in Splunk Web, or the eventtypes.conf and tags.conf configuration files3. References = 1: About data models - Splunk Documentation - How data models use tags. 2: Use tags to map event types to data model nodes - Splunk Documentation. 3: About event types - Splunk Documentation - Tag event types.

According to the Splunk Enterprise Security documentation, an asset is a physical or logical device that is part of your network infrastructure, such as a server, a workstation, a router, or a firewall. An asset can have various attributes, such as IP address, MAC address, DNS name, NT host name, priority, business unit, owner, and others. Splunk Enterprise Security uses asset data to enrich and correlate security events and provide context for analysis. You can manage asset data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details.

The other options are not examples of ES assets, but they may be related to other types of data. A MAC address is an attribute of an asset, not an asset itself. A user name is an example of an identity, which is a person or group that is associated with an asset or an event. Splunk Enterprise Security uses identity data to enrich and correlate security events and provide context for analysis. You can manage identity data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details. People is a data model in the Splunk Common Information Model (CIM), which provides a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. The People data model contains the fields and tags for events that are related to people, such as user names, email addresses, phone numbers, and others. See People for more details. Therefore, the correct answer is C. Server. References =

• Manage assets and identities in Splunk Enterprise Security
• People