SPLK-3001 Sample Questions Answers

 According to the Splunk Enterprise Security documentation, only users with the ess_admin role or the Manage All Investigations capability can delete an investigation. The investigation owner and collaborators can edit the investigation, but not delete it. Therefore, the correct answer is A. ess_admin users only. References = Manage investigations in Splunk Enterprise Security

A key feature of a glass table is customization. A glass table is a dashboard that allows you to create dynamic and interactive visualizations of your security data. You can customize a glass table by adding static images and text, the results of ad-hoc searches, and security metrics that show the values of KPIs, service health scores, or notable events. You can also configure the appearance, behavior, and drilldown options of the glass table elements. A glass table is not rigid, but flexible and adaptable to your security needs. A glass table is not designed for interactive investigations, but for high-level monitoring and analysis. A glass table does not store data for later retrieval, but shows real-time data generated by KPIs and services. References =

• Create and manage glass tables in Splunk Enterprise Security
• Add security metrics to a glass table in Splunk Enterprise Security

A correlation search is a scheduled search that runs periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. A correlation search can generate false positives, which are notable events that do not represent a real security incident or threat. False positives can create noise and reduce the efficiency and accuracy of the security analysis. To reduce false positives from a correlation search, you can modify the correlation schedule and sensitivity for your site. The correlation schedule determines how often the correlation search runs and over what time range. The sensitivity determines the threshold or limit for the search conditions to trigger a notable event. By adjusting the correlation schedule and sensitivity, you can fine-tune the correlation search to match your environment and data sources, and avoid generating notable events for normal or benign activities. You can modify the correlation schedule and sensitivity for a correlation search using the Content Management page in Splunk Enterprise Security. References =

• Modify the correlation schedule and sensitivity for your site
• Correlation search overview for Splunk Enterprise Security

Dealing with Security False Positives in Splunk (Enterprise Security ...2

Upping the Auditing Game for Correlation Searches Within ... - Splunk

 To configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard, the administrator would take the following steps:

• On the Splunk Enterprise Security menu bar, click Configure > Content > Content Management.
• Filter the content by Type: Correlation Search and select the correlation search that you want to add the Nslookup action to.
• Click Edit and go to the Notable tab.
• Under Recommended Actions, click Add New Action and select Nslookup from the drop-down menu.
• Enter the required fields for the Nslookup action, such as the host field, the DNS server, and the output index.
• Click Save to save the changes to the correlation search.
• The Nslookup action will now appear as an option in the notable event’s action menu on the Incident Review dashboard. References =
• Set up Adaptive Response actions in Splunk Enterprise Security
• Included adaptive response actions with Splunk Enterprise Security

Data integrity control is a feature of Splunk Enterprise that helps you verify the integrity of data that it indexes. When you enable data integrity control for an index, Splunk Enterprise computes hashes on every slice of data using the SHA-256 algorithm. It then stores those hashes so that you can verify the integrity of your data later. This feature prevents data tampering and ensures that the data is trustworthy and reliable. Therefore, the correct answer is B. Data integrity control. References = Manage data integrity - Splunk Documentation.

After data is ingested, the data management step that is essential to ensure raw data can be accelerated by a data model and used by ES is normalization to the Splunk Common Information Model (CIM). The CIM is a standard and consistent way of naming and structuring the fields and tags for different types of data, such as network, web, email, authentication, and malware. The CIM allows you to use the same search queries and dashboards across different data sources, even if they have different formats or schemas. Normalizing data to the CIM involves mapping the raw data fields and tags to the CIM fields and tags using technology add-ons. Technology add-ons are Splunk apps that provide the necessary configurations and extractions for specific data sources. By normalizing data to the CIM, you can enable data model acceleration for the data models that use the CIM fields and tags. Data model acceleration is a feature that speeds up searches and reports that use data models by pre-computing and storing the results of the data model queries. Data model acceleration is required for most of the dashboards and correlation searches in Splunk Enterprise Security. References =

• Data models in the Splunk Common Information Model
• Data model acceleration

 According to the Splunk Enterprise Security documentation, the way to make the Threat Activity dashboard the default landing page in ES is to use the Edit Navigation page and click the ‘Set this as the default view’ checkmark for Threat Activity. The Edit Navigation page allows you to customize the menu bar of ES and add links to custom dashboards, reports, or other views. You can also set the default view for each app context, which determines the landing page when you open the app. To set the Threat Activity dashboard as the default view, you need to do the following steps:

• On the Enterprise Security menu bar, select Configure > General > Navigation.
• In the Edit Navigation page, select the Enterprise Security app context from the drop-down menu.
• In the Navigation XML section, find the line that contains the view name ‘threat_activity’.
• Add the attribute default=“true” to the line and remove the same attribute from any other line in the same app context.
• Click Save Changes to apply the changes to the Edit Navigation page.

This will make the Threat Activity dashboard the default landing page when you open the Enterprise Security app. See Customize the navigation bar for more details.

The other options are not the correct ways to make the Threat Activity dashboard the default landing page in ES. Dragging and dropping the Threat Activity view to the top of the page will not change the default view, but only the order of the menu items. Selecting Enterprise Security as the default application will not change the default view within the app, but only the app that opens when you log in to Splunk. Editing the Threat Activity view settings will not change the default view, but only the title, description, permissions, and schedule of the dashboard. Therefore, the correct answer is C. From the Edit Navigation page, click the 'Set this as the default view" checkmark for Threat Activity. References = Customize the navigation bar.

 The correct way to add a new lookup through the ES app is to upload the lookup file using Configure > Content Management > Create New Content > Managed Lookup. This allows the user to create or select an existing lookup file and definition, specify the lookup type, label, and description, and enable editing of the lookup file. This also stores the lookup file at the application level, which makes it easier to edit and share. The other options are either incorrect or not recommended for ES. Uploading the lookup file in Settings > Lookups > Lookup table files does not create a lookup definition or a label and description for the lookup. Uploading the lookup file in Settings > Lookups > Lookup Definitions does not upload the lookup file itself, but only creates a definition for an existing file. Adding the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups requires manual editing of the file system and is not recommended for ES. References =

• Create and manage lookups in Splunk Enterprise Security

The Content Management page in Splunk Enterprise Security allows you to export any content type that is listed on the page as an app. The content types include correlation searches, glass tables, dashboards, reports, saved searches, key indicators, workbench panels, and managed lookups. You can use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. You can also import content from other ES instances or from Splunkbase using the Content Management page. References =

• Export content from Splunk Enterprise Security as an app
• Import content to Splunk Enterprise Security as an app

The endpoint security domain dashboards in Splunk Enterprise Security display endpoint data relating to malware infections, patch history, system configurations, and time synchronization information. The sources for events in the endpoint security domain dashboards are the devices that are considered endpoints in your network, such as workstations, notebooks, and point-of-sale systems1. References = 1: Introduction to the dashboards available in Splunk Enterprise Security - Endpoint domain dashboards.

 “10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against an asset in ES. An asset is a device on a network that can be identified by an IP address, MAC address, DNS name, or other attributes. ES uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to the data1. The asset fields that ES can match include ip, mac, nt_host, dns, and others2. An identity is a user account that can be identified by a username, email address, phone number, or other attributes. An identity is not the same as an asset, although an identity can be associated with an asset1. References =

• Add asset and identity data to Splunk Enterprise Security
• Asset and identity fields in Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, the Protocol Intelligence dashboards are the dashboards that support the ability to view and analyze network Stream data. The Protocol Intelligence dashboards provide a summary of network traffic by protocol, such as TCP, UDP, ICMP, and others. They also show the top sources, destinations, ports, and applications for each protocol. The dashboards allow you to filter the data by time range, protocol, source, destination, port, and application. The dashboards also provide drilldown links to other dashboards, such as the Network Resolution dashboard and the Traffic Size Analysis dashboard, for further analysis. The Protocol Intelligence dashboards require the Splunk App for Stream and the Splunk Add-on for Stream to capture and parse network traffic data. Therefore, the correct answer is C. Protocol Intelligence dashboards. References = Protocol Intelligence dashboards.

Anomali ThreatStream App for Splunk | Splunkbase

Splunk Enterprise Security requires a dedicated search head with no other apps installed. This is because ES is a resource-intensive application that may cause performance issues and conflicts with other apps. Installing ES on a search head with other apps may also result in data loss or corruption. Therefore, it is recommended to install ES on a clean search head with only the default built-in apps and the Common Information Model (CIM) app. The CIM app is a prerequisite for ES and provides a common language for describing data across domains and technologies. The other options, B, C, and D, are not correct. Installing ES on a search head with any other apps, including TA-* or CIM-compliant apps, is not supported and may cause problems. References =

• Install Splunk Enterprise Security
• Splunk Enterprise Security Installation and Upgrade Manual

The value in the red box is an IP address rating. This is a numerical value that represents the risk associated with an IP address. The higher the value, the higher the risk. This value is calculated based on the number of security events associated with the IP address, the severity of those events, and the time since the last event. References:

• Administering Splunk Enterprise Security
• Splunk Enterprise security Admin
• IP Intelligence

To navigate to the ES graphical Navigation Bar editor, you need to click the Configure menu in the ES app bar, then select General, and then select Navigation. The Navigation page allows you to customize the navigation bar of the ES app by adding, removing, or reordering the menu items. You can also edit the labels, icons, and links of the menu items. You can use the graphical editor to drag and drop the menu items, or you can edit the navigation XML directly. For more information, see Customize the navigation bar in Splunk Enterprise Security1. The other options, A, C, and D, are not correct. There is no Navigation Menu option under the Configure menu. The Settings menu does not allow you to edit the navigation bar of the ES app. The Settings menu only allows you to edit the navigation menus of the Splunk platform, such as the app launcher and the user menu. References =

• Customize the navigation bar in Splunk Enterprise Security

Design navigation graphs | Android Developers1

Design navigation graphs | Android Developers

Splunk Enterprise Security supports downloading threat intelligence from STIX/TAXII servers. STIX is a structured language for describing cyber threat information, and TAXII is a protocol for exchanging STIX data. Splunk Enterprise Security can download STIX/TAXII feeds from any server that supports the TAXII 1.1 specification and the STIX 1.1.1 or 1.2 specification. Splunk Enterprise Security does not support downloading threat intelligence from text, VulnScanSPL, or Splunk Enterprise Threat Generator sources. References = Add threat intelligence to Splunk Enterprise Security, Upload a STIX or OpenIOC structured threat intelligence file

 According to the Splunk Enterprise Security documentation, the recommended way to install ES is on a server with a new install of Splunk. This is because ES requires a dedicated search head that is not shared with other apps or users. Installing ES on a server with a new install of Splunk ensures that there are no conflicts or performance issues with other apps or configurations. If you want to install ES on an existing search head, you need to follow some additional steps, such as redirecting distributed search connections, purging KV Store, and backing up existing data. See Install Splunk Enterprise Security for more details. Therefore, the correct answer is C. On a server with a new install of Splunk. References = Install Splunk Enterprise Security.

The Splunk Add-on Builder helps you create technology add-ons, which are specialized add-ons that help to collect, transform, and normalize data feeds from specific sources in your environment. Technology add-ons are often referred to as TAs, and they start with the prefix TA-12. References = 1: Splunk Add-on Builder User Guide - About the Splunk Add-on Builder 2: Splunk Developer Portal - Develop Splunk Apps

 According to the Splunk Enterprise Security documentation, the best way to integrate a newly built custom dashboard to a team of security analysts in ES is to set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu. This will ensure that the dashboard is visible and accessible to the users with the es_analyst role, which is the default role for security analysts in ES. The navigation editor allows you to customize the menu bar of ES and add links to custom dashboards, reports, or other views. See Customize Splunk Enterprise Security dashboards to fit your use case and Customize the navigation bar for more details.

The other options are not recommended, because they either do not integrate the dashboard properly or they create unnecessary complexity. Adding links on the ES home page to the new dashboard is not a good option, because it does not integrate the dashboard into the menu bar and it may clutter the home page. Creating a new role inherited from es_analyst, making the dashboard permissions read-only, and making this dashboard the default view for the new role is not a good option, because it creates a redundant role and it may confuse the users who expect to see the Security Posture dashboard as the default view. Adding the dashboard to a custom add-in app and installing it to ES using the Content Manager is not a good option, because it requires creating and maintaining a separate app and it may cause conflicts or performance issues with ES. Therefore, the correct answer is C. Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu. References =

• Customize the navigation bar
• Roles and capabilities in Splunk Enterprise Security
• Content Management
• Customize Splunk Enterprise Security dashboards to fit your use case

How to Create Custom Dashboards and Alerts to Achi ... - Splunk Community

 If a username does not match the ‘identity’ column in the identities list, Splunk Enterprise Security checks the ‘email’ column next. The ‘email’ column contains the email address associated with the identity. If the email address matches the username, Splunk Enterprise Security assigns the identity to the user. If the email address does not match, Splunk Enterprise Security checks the ‘nickname’ column next, followed by the ‘ip’ column, and finally the ‘last_name’ and ‘first_name’ columns. The order of the columns is determined by the identity_match setting in the identity_manager.conf file. References =

• Identity correlation
• identity_manager.conf

 The role that should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard is the ess_analyst role. The ess_analyst role is a predefined role in Splunk Enterprise Security that grants the user the ability to view, edit, comment, and change the status and owner of notable events. The ess_analyst role also allows the user to access the dashboards, reports, and searches related to security analysis and investigation12. References = 1: Overview of roles and capabilities in Splunk Enterprise Security - Splunk Documentation - ess_analyst role. 2: Incident Review - Splunk Documentation - Triage notable events on the Incident Review dashboard.

The ES application should be uploaded to the search head, which is the component that runs the ES user interface and executes the searches, alerts, and reports. The search head should be dedicated to ES and not run any other applications. The indexer is the component that indexes the data and stores it in buckets. The KV Store is a feature that stores and manages data as key-value pairs. The dedicated forwarder is a component that collects data from various sources and forwards it to the indexer. None of these components can run the ES application. References =

• [Install Splunk Enterprise Security]
• [Splunk Enterprise architecture]

Glass tables can display static images and text, the results of ad-hoc searches, and security metrics. Security metrics are visualizations that show the values of KPIs, service health scores, or notable events. You can add security metrics to a glass table by using the Security Metrics menu in the glass table editor. You can also configure the appearance, behavior, and drilldown options of the security metrics. Glass tables cannot display lookup searches, summarized data, or metrics store searches directly, although you can use these types of searches as data sources for ad-hoc searches and then display the results on a glass table. References =

• Add security metrics to a glass table in Splunk Enterprise Security
• Create and manage glass tables in Splunk Enterprise Security

User and website watchlists are lists of users or websites that you want to monitor for suspicious or unwanted activity. You can configure user and website watchlists in Splunk Enterprise Security to generate notable events when a user on the watchlist accesses a website on the watchlist. The User Activity dashboard displays the notable events generated by the watchlists, as well as other user activity information such as top users, top websites, and top categories. Configuring user and website watchlists can help identify users accessing inappropriate web sites, as it allows you to specify which users and websites are of interest and alert you when they are accessed. References =

• Configure user and website watchlists in Splunk Enterprise Security
• User Activity dashboard in Splunk Enterprise Security

Correlation searches can perform adaptive response actions when they find a pattern in the data. Adaptive response actions are automated or manual responses that you can use to modify your environment based on notable events. For example, you can block an IP address, add a user to a watchlist, or send an email notification. Configuring correlation adaptive responses is part of tuning correlation searches for a new ES installation, as it allows you to customize the actions that are triggered by the correlation searches. You can enable, disable, or modify the adaptive response actions for each correlation search, or create your own custom actions. References =

• Configure correlation searches in Splunk Enterprise Security
• Adaptive Response Framework overview

By default, the CIM data models search all indexes in Splunk Enterprise Security. This means that any event that matches the tags and fields of a data model can be included in the data model, regardless of the index where it is stored. However, this can also affect the performance and efficiency of the data model searches, especially if there are many indexes that do not contain relevant data for the data model. Therefore, it is recommended to use the indexes allow list setting in the CIM add-on to constrain the indexes that each data model searches. The indexes allow list is a comma-separated list of indexes that you want to include in the data model search. You can specify index names or index macros. For example, you can set the indexes allow list for the Authentication data model to index=main, index=security, index=auth to limit the search to only those three indexes12. References = 1: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list. 2: Overview of the Splunk Common Information Model - Splunk Documentation - Why the CIM exists.