1. Home
  2. Splunk
  3. SPLK-3001

Splunk Enterprise Security Certified Admin

Exam Details

  • Exam Code
    :SPLK-3001
  • Exam Name
    :Splunk Enterprise Security Certified Admin
  • Certification
    :Splunk Enterprise Security Certified Admin
  • Vendor
    :Splunk
  • Total Questions
    :99 Q&As
  • Last Updated
    :May 15, 2024

Splunk Splunk Enterprise Security Certified Admin SPLK-3001 Questions & Answers

  • Question 11:

    Following the Installation of ES, an admin configured Leers with the ﹕s_uso r role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to closed?

    A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.

    B. From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.

    C. In Enterprise Security, give the ess_user role the own Notable Events permission.

    D. From Splunk Access Controls, select the ess_user role and remove the edit_notabie_events capability.

  • Question 12:

    At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

    A. When adding apps to the deployment server.

    B. Splunk_TA_ForIndexers.spl is installed first.

    C. After installing ES on the search head(s) and running the distributed configuration management tool.

    D. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

  • Question 13:

    A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives.

    Which of the following options is most likely to help performance?

    A. Change the search heads to do local indexing of summary searches.

    B. Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.

    C. Increase memory and CPUs on the search head(s) and add additional indexers.

    D. If indexed realtime search is enabled, disable it for the notable index.

  • Question 14:

    Which of the following actions would not reduce the number of false positives from a correlation search?

    A. Reducing the severity.

    B. Removing throttling fields.

    C. Increasing the throttling window.

    D. Increasing threshold sensitivity.

  • Question 15:

    What kind of value is in the red box in this picture?

    A. A risk score.

    B. A source ranking.

    C. An event priority.

    D. An IP address rating.

  • Question 16:

    Which correlation search feature is used to throttle the creation of notable events?

    A. Schedule priority.

    B. Window interval.

    C. Window duration.

    D. Schedule windows.

  • Question 17:

    Analysts have requested the ability to capture and analyze network traffic data. The administrator has researched the documentation and, based on this research, has decided to integrate the Splunk App for Stream with ES.

    Which dashboards will now be supported so analysts can view and analyze network Stream data?

    A. Endpoint dashboards.

    B. User Intelligence dashboards.

    C. Protocol Intelligence dashboards.

    D. Web Intelligence dashboards.

  • Question 18:

    What can be exported from ES using the Content Management page?

    A. Only correlation searches, managed lookups, and glass tables.

    B. Only correlation searches.

    C. Any content type listed in the Content Management page.

    D. Only correlation searches, glass tables, and workbench panels.

  • Question 19:

    Which indexes are searched by default for CIM data models?

    A. notable and default

    B. summary and notable

    C. _internal and summary

    D. All indexes

  • Question 20:

    What do threat gen searches produce?

    A. Threat Intel in KV Store collections.

    B. Threat correlation searches.

    C. Threat notables in the notable index.

    D. Events in the threat_activity index.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Splunk exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SPLK-3001 exam preparations and Splunk certification application, do not hesitate to visit our Vcedump.com to find your solutions here.