How should an administrator add a new lookup through the ES app?
A. Upload the lookup file in Settings -> Lookups -> Lookup Definitions
B. Upload the lookup file in Settings -> Lookups -> Lookup table files
C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
D. Upload the lookup file using Configure -> Content Management -> Create New Content - > Managed Lookup
Explanation:
In Splunk Enterprise Security (ES), the recommended way for administrators to add a new lookup is by using the Content Management interface, which is purpose-built for managing correlation searches, lookups, dashboards, and other ES components.
To do this:
Go to Configure → Content Management
Click Create New Content
Choose Managed Lookup
Upload the file and define the lookup's settings (e.g., destination name, app context, permissions)
Using this method ensures the lookup is properly tracked by ES, making it easier to manage and integrate with correlation searches or other ES features.
❌ Why the other options are incorrect or not recommended:
A. Settings → Lookups → Lookup Definitions: This lets you define the lookup after the file is uploaded, not for uploading the file itself.
B. Settings → Lookups → Lookup table files: While this can be used to upload a lookup in core Splunk, it bypasses ES’s content management system, meaning the lookup won't be managed or tracked in ES.
C. Add to /etc/apps/SplunkEnterpriseSecuritySuite/lookups: This manual file placement is not recommended because it bypasses app controls and is not preserved during upgrades or deployments.
What can be exported from ES using the Content Management page?
A. Only correlation searches, managed lookups, and glass tables.
B. Only correlation searches.
C. Any content type listed in the Content Management page.
D. Only correlation searches, glass tables, and workbench panels.
Explanation:
The Content Management page in Splunk Enterprise Security (ES) allows administrators to export (and import) various ES content types, including but not limited to:
Correlation Searches
Adaptive Response Actions
Data Models
Glass Tables (custom dashboards)
Workbench Panels
Notable Event Aggregation Policies
Managed Lookups
Why This Is Correct:
The Content Management interface (Configure > Content Management) provides a centralized way to export all supported ES content for backup, migration, or sharing.
You can select specific items or entire categories for export.
Why the Other Options Are Incorrect:
A/B/D → These options are too restrictive; the Content Management page supports exporting all listed content types, not just subsets.
Key Concept:
Use Cases for Content Management:
Migration: Move configurations between ES environments (e.g., dev → prod).
Backup: Preserve customizations before upgrades.
Sharing: Distribute threat detection rules (e.g., correlation searches) across teams.
Which of the following actions would not reduce the number of false positives from a correlation search?
A. Reducing the severity.
B. Removing throttling fields.
C. Increasing the throttling window.
D. Increasing threshold sensitivity
Explanation:
When tuning a correlation search to reduce false positives, severity controls how alarming a notable event appears (e.g., "high" vs. "low" severity) but does not affect whether the event is generated in the first place.
Why This Is Correct:
Severity is a post-trigger attribute (it labels the event after the search fires).
Changing it does not alter the search logic or reduce the number of events generated.
Actions That Do Reduce False Positives:
B. Removing throttling fields → Allows the search to group events more broadly, reducing duplicates.
C. Increasing the throttling window → Aggregates events over a longer time, filtering transient noise.
D. Increasing threshold sensitivity → Requires stricter conditions to trigger (e.g., count > 10 instead of count > 5).
Key Concept:
To reduce false positives, modify the search logic (thresholds, throttling) or input data filtering.
Severity/urgency adjustments only impact prioritization, not event volume.
Following the Installation of ES, an admin configured Leers with the ©ss_uso r role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to closed?
A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.
B. From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.
C. In Enterprise Security, give the ess_user role the own Notable Events permission.
D. From Splunk Access Controls, select the ess_user role and remove the edit_notabie_events capability.
Explanation:
In Splunk Enterprise Security (ES), you can control which roles are allowed to transition a notable event from one status to another using the Status Configuration settings.
If an admin wants to prevent users with the ess_user role from changing the status of a notable event from Resolved → Closed, they need to:
Go to Configure → Incident Management → Status Configuration.
Select the "Resolved" status.
Under the status transitions, look at the transition from Resolved → Closed.
Remove the ess_user role from the allowed roles for that transition.
This ensures that users with the ess_user role cannot finalize the event by closing it, even if they can perform other transitions like setting events to "In Progress" or "Resolved".
❌ Why other options are incorrect:
B. From the closed status...: Status transitions are configured from the current status, not the target. You have to control what statuses can transition to Closed, not from Closed.
C. Give own_notable_events permission: This grants ownership control, not specific transition limitations.
D. Remove edit_notable_events: This would completely block the user from editing any notable event, not just limit transitions between specific statuses.
Where is detailed information about identities stored?
A. The Identity Investigator index.
B. The Access Anomalies collection.
C. The User Activity index.
D. The Identity Lookup CSV file.
Explanation:
In Splunk Enterprise Security (ES), detailed identity information (such as user names, email addresses, roles, business units, location, etc.) is stored in a lookup file, typically a CSV file, used for identity enrichment.
This file is part of the Asset and Identity Framework and is imported through:
Configure → Data Enrichment → Identity Management
Once imported, the data is used to enrich events and notable events with contextual identity details, which enhances correlation searches, risk analysis, and investigations (e.g., through Identity Investigator).
❌ Why the other options are incorrect:
A. Identity Investigator index: Identity Investigator is a visual investigation tool, not a storage location.
B. Access Anomalies collection: This is related to notable events about unusual access patterns, not a source of identity info.
C. User Activity index: No such index exists by default. User activity is usually collected in indexed events, but identity metadata isn't stored there.
Which feature contains scenarios that are useful during ES Implementation?
A. Use Case Library
B. Correlation Searches
C. Predictive Analytics
D. Adaptive Responses
Explanation:
The Use Case Library in Splunk Enterprise Security (ES) contains a curated set of predefined security scenarios that help guide and accelerate ES implementation.
These scenarios include:
Descriptions of specific security threats or compliance requirements
Mappings to correlation searches, data models, and required data sources
Implementation guides and recommendations for tuning detection content
This feature helps administrators:
Understand what security outcomes ES can support
Prioritize deployment steps based on available data
Ensure proper data onboarding and correlation search activation
❌ Why the other options are incorrect:
B. Correlation Searches: These are the detection rules, but the Use Case Library ties them together into broader scenarios.
C. Predictive Analytics: This is not a standard core feature in ES and isn’t part of implementation guidance.
D. Adaptive Responses: These are actions taken after a notable event is triggered, not part of planning or implementation.
Which correlation search feature is used to throttle the creation of notable events?
A. Schedule priority.
B. Window interval.
C. Window duration.
D. Schedule windows.
Explanation:
In Splunk Enterprise Security (ES), the Window duration setting in a correlation search is used to throttle (control) the creation of notable events by:
Aggregating matching events over a specified time window (e.g., 10 minutes, 1 hour).
Preventing duplicate notable events for the same activity within that window.
Example:
If a correlation search detects 5 failed logins in 5 minutes, and the Window duration is set to 30 minutes, ES:
Groups all similar events within the 30-minute window.
Generates only one notable event (instead of spamming multiple alerts).
Why the Other Options Are Incorrect:
A. Schedule priority → Determines search execution order, not throttling.
B. Window interval → Defines how often the search runs (e.g., every 5 minutes), not event grouping.
D. Schedule windows → Refers to time ranges for scheduling, not throttling logic.
Key Concept:
Throttling = Reducing Noise
Use Window duration to avoid alert fatigue.
Configure in: Settings → Correlation Searches → Edit Search → Alert Settings.
| Page 3 out of 14 Pages |
| Splunk SPLK-3001 Dumps Home | Previous |
Contact Us - Privacy Policy ... Copyright © - All Rights Reserved