Splunk SPLK-3001 Exam Practice Test Instant Access

Question 1

What does the summariesonly=true option do for a correlation search?

ASearches only accelerated data.

BForwards summary indexes to the indexing tier.

CUses a default summary time range.

DSearches summary indexes only.

Answer : A

Question 2

Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?

AAdministrative Identities

BLocal User Intel

CIdentities

DPrivileged Accounts

Answer : C

Question 3

What is the bar across the bottom of any ES window?

AThe Investigator Workbench.

BThe Investigation Bar.

CThe Analyst Bar.

DThe Compliance Bar.

Answer : B

Question 4

Following the Installation of ES, an admin configured Leers with the ss_uso r role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to closed?

AFrom the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.

BFrom the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.

CIn Enterprise Security, give the ess_user role the own Notable Events permission.

DFrom Splunk Access Controls, select the ess_user role and remove the edit_notabie_events capability.

Answer : B

Question 5

Which of these Is a benefit of data normalization?

AReports run faster because normalized data models can be optimized for better performance.

BDashboards take longer to build.

CSearches can be built no matter the specific source technology for a normalized data type.

DForwarder-based inputs are more efficient.

Answer : A

Question 6

Which of the following actions can improve overall search performance?

ADisable indexed real-time search.

BIncrease priority of all correlation searches.

CReduce the frequency (schedule) of lower-priority correlation searches.

DAdd notable event suppressions for correlation searches with high numbers of false positives.

Answer : A

Question 7

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

AEdit the search and modify the notable event status field to make the notable events less urgent.

BEdit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.

CEdit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.

DModify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Answer : B

Splunk SPLK-3001 Splunk Enterprise Security Certified Admin Exam Practice Test