Tag - SPLK-3001 exam

What feature of Enterprise Security downloads threat intelligence data from a web server?A . Threat Service ManagerB . Threat Download ManagerC . Threat Intelligence ParserD . Threat Intelligence EnforcementView AnswerAnswer: B

Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?A . VIPB . PriorityC . ImportanceD . CriticalityView AnswerAnswer: B Explanation: Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

Which argument to the | tstats command restricts the search to summarized data only?A . summaries=tB . summaries=allC . summariesonly=tD . summariesonly=allView AnswerAnswer: C Explanation: Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

Which setting is used in indexes.confto specify alternate locations for accelerated storage?A . thawedPathB . tstatsHomePathC . summaryHomePathD . warmToColdScriptView AnswerAnswer: B Explanation: Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

Which of the following are examples of sources for events in the endpoint security domain dashboards?A . REST API invocations.B . Investigation final results status.C . Workstations, notebooks, and point-of-sale systems.D . Lifecycle auditing of incidents, from assignment to resolution.View AnswerAnswer: D Explanation: Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/EndpointProtectionDomaindashboards

Which of the following is a way to test for a property normalized data model?A . Use Audit -> Normalization Audit and check the Errors panel.B . Run a | datamodelsearch, compare results to the CIM documentation for the datamodel.C . Run a | loadjobsearch, look at tag values and...

In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?A . Save the settings.B . Apply the correct tags.C . Run the correct search.D . Visit the CIM dashboard.View AnswerAnswer: C Explanation: Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizeOSSECdata

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?A . ess_userB . ess_adminC . ess_analystD . ess_reviewerView AnswerAnswer: B Explanation: Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Triagenotableevents

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?A . $fieldname$B . “fieldname”C . %fieldname%D . _fieldname_View AnswerAnswer: C Explanation: Reference: https://docs.splunk.com/Documentation/ITSI/4.4.2/Configure/Createcorrelationsearch

What does the risk framework add to an object (user, server or other type) to indicate increased risk?A . An urgency.B . A risk profile.C . An aggregation.D . A numeric score.View AnswerAnswer: C Explanation: Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/RiskScoring