Free Splunk Enterprise Security Certified Admin Exam SPLK-3001 Exam Practice Test

Which feature contains scenarios that are useful during ES Implementation?

• Use Case Library
• Correlation Searches
• Predictive Analytics
• Adaptive Responses

Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

• Security domains.
• Threat intel.
• Assets.
• Domains.

Which two fields combine to create the Urgency of a notable event?

• Priority and Severity.
• Priority and Criticality.
• Criticality and Severity.
• Precedence and Time.

An administrator is asked to configure an ''Nslookup'' adaptive response action, so that it appears as a selectable option in the notable event's action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

• Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup
• Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
• Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup
• Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

Which of the following are data models used by ES? (Choose all that apply)

• Web
• Anomalies
• Authentication
• Network Traffic

Which argument to the | tstats command restricts the search to summarized data only?

• summaries=t
• summaries=all
• summariesonly=t
• summariesonly=all

What can be exported from ES using the Content Management page?

• Only correlation searches, managed lookups, and glass tables.
• Only correlation searches.
• Any content type listed in the Content Management page.
• Only correlation searches, glass tables, and workbench panels.

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

• Use new app names each time content is exported.
• Do not use the .spl extension when naming an export.
• Always include existing and new content for each export.
• Either use new app names or always include both existing and new content.

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

• Edit the search and modify the notable event status field to make the notable events less urgent.
• Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
• Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
• Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Which of the following is a key feature of a glass table?

• Rigidity.
• Customization.
• Interactive investigations.
• Strong data for later retrieval.