The Brute Force Access Behavior Detected correlation search is enabled, and is
generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?
A.
Edit the search and modify the notable event status field to make the notable events less urgent.
B.
Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
C.
Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
D.
Modify the urgency table for this correlation search and add a new severity level to makenotable events from this search less urgent.
Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned
Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?
A.
VIP
B.
Priority
C.
Importance
D.
Criticality
Priority
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned
How should an administrator add a new lookup through the ES app?
A.
Upload the lookup file in Settings -> Lookups -> Lookup Definitions
B.
Upload the lookup file in Settings -> Lookups -> Lookup table files
C.
Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
D.
Upload the lookup file using Configure -> Content Management -> Create New Content - > Managed Lookup
Upload the lookup file using Configure -> Content Management -> Create New Content - > Managed Lookup
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Createlookups
What can be exported from ES using the Content Management page?
A.
Only correlation searches, managed lookups, and glass tables.
B.
Only correlation searches.
C.
Any content type listed in the Content Management page.
D.
Only correlation searches, glass tables, and workbench panels.
Any content type listed in the Content Management page.
Reference:
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Export#:~:text=as-an-app-
,Export
-content-from-Splunk-Enterprise-Security-as,from-the-Conte
nt-Management
-page.&text=You-can-export-any-type,%2C-data-models%2C%2
0and-views.
Which of the following actions would not reduce the number of false positives from a correlation search?
A.
Reducing the severity.
B.
Removing throttling fields.
C.
Increasing the throttling window.
D.
Increasing threshold sensitivity
Reducing the severity.
Following the Installation of ES, an admin configured Leers with the ©ss_uso r role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to closed?
A.
From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.
B.
From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.
C.
In Enterprise Security, give the ess_user role the own Notable Events permission.
D.
From Splunk Access Controls, select the ess_user role and remove the
edit_notabie_events capability.
From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.
| Page 3 out of 17 Pages |
| Previous |
Contact Us - Privacy Policy ... Copyright © - All Rights Reserved