ExamGecko
Search Search Login
Home Home / Splunk / SPLK-3001

Splunk SPLK-3001 Practice Test - Questions Answers, Page 6

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Where are attachments to investigations stored?
Where should an ES search head be installed?
Which data model populated the panels on the Risk Analysis dashboard?
Where is the Add-On Builder available from?
When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?
When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?
Which settings indicated that the correlation search will be executed as new events are indexed?
Where is it possible to export content, such as correlation searches, from ES?
What feature of Enterprise Security downloads threat intelligence data from a web server?
After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?

Question 51

Report
Export
Collapse

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

A.
Use new app names each time content is exported.
A.
Use new app names each time content is exported.
Answers
B.
Do not use the .spl extension when naming an export.
B.
Do not use the .spl extension when naming an export.
Answers
C.
Always include existing and new content for each export.
C.
Always include existing and new content for each export.
Answers
D.
Either use new app names or always include both existing and new content.
D.
Either use new app names or always include both existing and new content.
Answers
Suggested answer: D

Explanation:

Either use new app names each time (which could be difficult to manage) or make sure you always include all content (old and new) each time you export.

Question 52

Report
Export
Collapse

Who can delete an investigation?

A.
ess_admin users only.
A.
ess_admin users only.
Answers
B.
The investigation owner only.
B.
The investigation owner only.
Answers
C.
The investigation owner and ess-admin.
C.
The investigation owner and ess-admin.
Answers
D.
The investigation owner and collaborators.
D.
The investigation owner and collaborators.
Answers
Suggested answer: A

Explanation:

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

Question 53

Report
Export
Collapse

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

A.
Splunk_DS_ForIndexers.spl
A.
Splunk_DS_ForIndexers.spl
Answers
B.
Splunk_ES_ForIndexers.spl
B.
Splunk_ES_ForIndexers.spl
Answers
C.
Splunk_SA_ForIndexers.spl
C.
Splunk_SA_ForIndexers.spl
Answers
D.
Splunk_TA_ForIndexers.spl
D.
Splunk_TA_ForIndexers.spl
Answers
Suggested answer: D

Explanation:

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallTechnologyAdd-ons

Question 54

Report
Export
Collapse

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

A.
Edit the search and modify the notable event status field to make the notable events less urgent.
A.
Edit the search and modify the notable event status field to make the notable events less urgent.
Answers
B.
Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
B.
Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
Answers
C.
Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
C.
Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
Answers
D.
Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.
D.
Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.
Answers
Suggested answer: B

Explanation:

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

Question 55

Report
Export
Collapse

Which of the following actions can improve overall search performance?

A.
Disable indexed real-time search.
A.
Disable indexed real-time search.
Answers
B.
Increase priority of all correlation searches.
B.
Increase priority of all correlation searches.
Answers
C.
Reduce the frequency (schedule) of lower-priority correlation searches.
C.
Reduce the frequency (schedule) of lower-priority correlation searches.
Answers
D.
Add notable event suppressions for correlation searches with high numbers of false positives.
D.
Add notable event suppressions for correlation searches with high numbers of false positives.
Answers
Suggested answer: A

Question 56

Report
Export
Collapse

Which of the following ES features would a security analyst use while investigating a network anomaly notable?

A.
Correlation editor.
A.
Correlation editor.
Answers
B.
Key indicator search.
B.
Key indicator search.
Answers
C.
Threat download dashboard.
C.
Threat download dashboard.
Answers
D.
Protocol intelligence dashboard.
D.
Protocol intelligence dashboard.
Answers
Suggested answer: D

Explanation:

Reference: https://www.splunk.com/en_us/products/premium-solutions/splunk-enterprisesecurity/features.html

Question 57

Report
Export
Collapse

Which component normalizes events?

A.
SA-CIM.
A.
SA-CIM.
Answers
B.
SA-Notable.
B.
SA-Notable.
Answers
C.
ES application.
C.
ES application.
Answers
D.
Technology add-on.
D.
Technology add-on.
Answers
Suggested answer: A

Explanation:

Reference:

https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

Question 58

Report
Export
Collapse

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

A.
Index consistency.
A.
Index consistency.
Answers
B.
Data integrity control.
B.
Data integrity control.
Answers
C.
Indexer acknowledgement.
C.
Indexer acknowledgement.
Answers
D.
Index access permissions.
D.
Index access permissions.
Answers
Suggested answer: B

Explanation:

Reference: https://answers.splunk.com/answers/790783/anti-tampering-features-to-protect-splunklogs-the.html

Question 59

Report
Export
Collapse

What is the first step when preparing to install ES?

A.
Install ES.
A.
Install ES.
Answers
B.
Determine the data sources used.
B.
Determine the data sources used.
Answers
C.
Determine the hardware required.
C.
Determine the hardware required.
Answers
D.
Determine the size and scope of installation.
D.
Determine the size and scope of installation.
Answers
Suggested answer: D

Question 60

Report
Export
Collapse

What is the default schedule for accelerating ES Datamodels?

A.
1 minute
A.
1 minute
Answers
B.
5 minutes
B.
5 minutes
Answers
C.
15 minutes
C.
15 minutes
Answers
D.
1 hour
D.
1 hour
Answers
Suggested answer: B
Total 99 questions
Go to page: of 10
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms