ES needs to be installed on a search head with which of the following options?
A. No other apps.
B. Any other apps installed.
C. All apps removed except for TA-*.
D. Only default built-in and CIM-compliant apps.
Explanation:
Splunk Enterprise Security (ES) should be installed on a dedicated search head that contains only:
Default built-in Splunk apps
Apps and add-ons that are CIM-compliant (Common Information Model)
This ensures that:
Data model acceleration functions correctly
There are no conflicts with saved searches, lookups, or configurations
The ES app maintains performance and stability
❌ Why the other options are incorrect:
A. No other apps: This is too strict. ES needs CIM-compliant add-ons for data ingestion and normalization.
B. Any other apps installed: Incorrect. Non-CIM-compliant or conflicting apps can interfere with ES functionality.
C. All apps removed except for TA-: Not necessarily true—TA- are usually technology add-ons, but there are other CIM-compliant apps that could be needed as well.
How does ES know local customer domain names so it can detect internal vs. external emails?
A. Web and email domain names are set in General -> General Configuration.
B. ES uses the User Activity index and applies machine learning to determine internal and external domains.
C. The Corporate Web and Email Domain Lookups are edited during initial configuration.
D. ES extracts local email and web domains automatically from SMTP and HTTP logs.
Explanation:
Splunk Enterprise Security (ES) uses lookup files to distinguish between internal (corporate) domains and external domains for email and web traffic.
Corporate domains (e.g., @yourcompany.com) must be manually defined in lookup tables (corporate_web_domains.csv and corporate_email_domains.csv).
These lookups are configured during ES setup and can be updated later in -
Configure → Data Enrichment → Lookups → Enterprise Security Lookups
Splunk ES does not automatically extract domains from logs (eliminating D).
While B mentions machine learning, ES does not use ML for domain classification—it relies on static lookups.
A is incorrect because domain settings are not in General Configuration but in lookup files.
Key Concept:
Lookup tables are critical for ES to classify internal vs. external entities.
Without proper domain entries, ES might misclassify internal emails as external (or vice versa), affecting threat detection.
How is it possible to navigate to the ES graphical Navigation Bar editor?
A. Configure -> Navigation Menu
B. Configure -> General -> Navigation
C. Settings -> User Interface -> Navigation -> Click on “Enterprise Security”
D. Settings -> User Interface -> Navigation Menus -> Click on “default” next to Splunk Enterprise Security Suite
Explanation:
In Splunk Enterprise Security (ES), the Navigation Bar (menu) can be customized to modify the visibility and ordering of menu items. Here’s how to access the editor:
1. Go to Settings (gear icon in the top-right corner).
2. Navigate to User Interface → Navigation Menus.
3. Locate the entry for SplunkEnterpriseSecuritySuite and click on "default" (or another custom menu if configured).
4. This opens the Navigation Bar editor, where you can add, remove, or rearrange menu items.
Why the Other Options Are Incorrect:
A. Configure → Navigation Menu
Incorrect because the Configure menu does not contain a direct "Navigation Menu" option.
B. Configure → General → Navigation
Wrong path; the General settings under Configure do not control the Navigation Bar.
C. Settings → User Interface → Navigation → Click on “Enterprise Security”
Close, but the correct path requires selecting "Navigation Menus" (not just "Navigation") and then clicking "default" (not "Enterprise Security").
Key Concept:
The Navigation Bar in ES is customizable per-app, and modifications are done via Settings → User Interface → Navigation Menus.
Changes affect how analysts interact with ES, so proper configuration improves usability.
What is the main purpose of the Dashboard Requirements Matrix document?
A. Identifies on which data model(s) each dashboard depends.
B. Provides instructions for customizing each dashboard for local data models.
C. Identifies the searches used by the dashboards.
D. Identifies which data model(s) depend on each dashboard.
Explanation:
The Dashboard Requirements Matrix is a critical document in Splunk Enterprise Security (ES) that helps administrators understand:
Which data models (e.g., Authentication, Network Traffic, Malware) are required for each ES dashboard to function properly.
Ensures that dashboards display data correctly by confirming that the underlying data models are properly accelerated and populated.
Why the Other Options Are Incorrect:
B. Provides instructions for customizing each dashboard for local data models.
While customization may be needed, the matrix itself does not provide instructions—it only lists dependencies.
C. Identifies the searches used by the dashboards.
The matrix focuses on data model dependencies, not the underlying searches.
D. Identifies which data model(s) depend on each dashboard.
This is backwards—the matrix shows which dashboards depend on which data models, not the other way around.
Key Concept:
Before using ES dashboards, admins must:
. Verify that required data models are accelerated.
. Ensure data is being ingested into those models (via CIM-compliant sources).
The Dashboard Requirements Matrix helps avoid blank or incomplete dashboards due to missing data model dependencies.
What are adaptive responses triggered by?
A. By correlation searches and users on the incident review dashboard.
B. By correlation searches and custom tech add-ons.
C. By correlation searches and users on the threat analysis dashboard.
D. By custom tech add-ons and users on the risk analysis dashboard
Explanation:
Adaptive Responses in Splunk Enterprise Security (ES) are automated or manual actions triggered in response to security events. They can be initiated in two primary ways:
By Correlation Searches
When a correlation search generates a notable event, it can automatically execute an adaptive response (e.g., blocking an IP, disabling a user account).
Example: A correlation search detecting brute-force attacks could trigger a script to block the offending IP.
By Users on the Incident Review Dashboard
Analysts can manually trigger adaptive responses from the Incident Review dashboard (e.g., quarantining a host, sending an alert to a SIEM).
Why the Other Options Are Incorrect:
B. By correlation searches and custom tech add-ons.
While custom add-ons can provide new adaptive response actions, they do not trigger responses themselves—they only extend capabilities.
C. By correlation searches and users on the threat analysis dashboard.
The Threat Activity Dashboard is for analysis, not response triggering (responses are triggered from Incident Review).
D. By custom tech add-ons and users on the risk analysis dashboard.
The Risk Analysis Dashboard visualizes risk scores but does not trigger adaptive responses.
Key Concept:
Adaptive responses help automate remediation (e.g., blocking threats) or enable manual actions (e.g., escalating incidents).
Properly configured responses depend on:
. Correlation search logic (for auto-triggering).
. Analyst permissions (for manual triggering).
What is an example of an ES asset?
A. MAC address
B. User name
C. Server
D. People
Explanation:
In Splunk ES, an asset is any network-connected device or system (such as a server, workstation, printer, etc.) that can be the target or source of an event. Assets are key to contextualizing events in security analytics.
Assets are used in Asset and Identity correlation, enriching alerts and notable events with context like location, business unit, priority, etc.
❌ Why the other options are incorrect:
A. MAC address – This is a property of an asset, not an asset itself.
B. User name – This is considered an identity, not an asset.
D. People – This is too vague and typically aligns with identities, not physical/networked assets.
Analysts have requested the ability to capture and analyze network traffic data. The
administrator has researched the documentation and, based on this research, has decided
to integrate the Splunk App for Stream with ES.
Which dashboards will now be supported so analysts can view and analyze network
Stream data?
A. Endpoint dashboards.
B. User Intelligence dashboards.
C. Protocol Intelligence dashboards.
D. Web Intelligence dashboards.
Explanation:
When the Splunk App for Stream is integrated with Enterprise Security (ES), it provides real-time network traffic capture and analysis. The Protocol Intelligence dashboards in ES are specifically designed to visualize and analyze this network protocol data, including:
Traffic patterns (e.g., HTTP, DNS, FTP, RDP)
Anomalies in network communications
Threat detection based on protocol behavior
Why the Other Options Are Incorrect:
A. Endpoint dashboards → These focus on host-based data (e.g., processes, file changes), not network traffic.
B. User Intelligence dashboards → These analyze user behavior (e.g., logins, access patterns), not raw network traffic.
D. Web Intelligence dashboards → These track web-specific activity (e.g., URLs, domains), but not general network protocol data.
Key Concept:
Splunk App for Stream feeds packet capture (PCAP) data into ES, enriching network security monitoring.
The Protocol Intelligence dashboards help analysts detect:
. Suspicious connections (e.g., beaconing, data exfiltration).
. Unusual protocol usage (e.g., unauthorized RDP traffic).
| Page 1 out of 14 Pages |
Contact Us - Privacy Policy ... Copyright © - All Rights Reserved