SPLK-3001 Splunk Enterprise Security Certified Admin Exam Questions and Answers

If the number of failed logins is greater than or equal to the threshold value, the search triggers a notable event. To make the search less sensitive, the threshold value can be increased, so that only more frequent failed logins will trigger a notable event. For example, the default threshold value is 4, which means that 4 or more failed logins within a 1-minute window will trigger a notable event. If the threshold value is changed to 10, then only 10 or more failed logins within a 1-minute window will trigger a notable event. References =

Splunk Enterprise Security Admin Manual

Detecting brute force access behavior

 According to the Splunk Enterprise Security documentation, the option to create a Short ID for a notable event is located in the Event Details section of the notable event. The Event Details section shows the basic information about the notable event, such as title, description, urgency, owner, status, and others. It also provides a link to Create Short ID, which generates a 6-digit alphanumeric code that can be used to identify and share the notable event. The Short ID is appended to the URL of the Incident Review dashboard and can be used to filter the notable events by the Short ID field. See  Manually create a notable event in Splunk Enterprise Security  for more details. Therefore, the correct answer is B. The Event Details. References =  Manually create a notable event in Splunk Enterprise Security .

 The correct way to add a new lookup through the ES app is to upload the lookup file using Configure > Content Management > Create New Content > Managed Lookup. This allows the user to create or select an existing lookup file and definition, specify the lookup type, label, and description, and enable editing of the lookup file. This also stores the lookup file at the application level, which makes it easier to edit and share. The other options are either incorrect or not recommended for ES. Uploading the lookup file in Settings > Lookups > Lookup table files does not create a lookup definition or a label and description for the lookup. Uploading the lookup file in Settings > Lookups > Lookup Definitions does not upload the lookup file itself, but only creates a definition for an existing file. Adding the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups requires manual editing of the file system and is not recommended for ES. References =

Create and manage lookups in Splunk Enterprise Security

By default, the CIM data models search all indexes in Splunk Enterprise Security. This means that any event that matches the tags and fields of a data model can be included in the data model, regardless of the index where it is stored. However, this can also affect the performance and efficiency of the data model searches, especially if there are many indexes that do not contain relevant data for the data model. Therefore, it is recommended to use the indexes allow list setting in the CIM add-on to constrain the indexes that each data model searches. The indexes allow list is a comma-separated list of indexes that you want to include in the data model search. You can specify index names or index macros.  For example, you can set the indexes allow list for the Authentication data model to  index=main, index=security, index=auth  to limit the search to only those three indexes 1 2 .  References  =  1 : Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list.  2 : Overview of the Splunk Common Information Model - Splunk Documentation - Why the CIM exists.

The Content Management page in Splunk Enterprise Security allows you to export any content type that is listed on the page as an app. The content types include correlation searches, glass tables, dashboards, reports, saved searches, key indicators, workbench panels, and managed lookups. You can use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. You can also import content from other ES instances or from Splunkbase using the Content Management page. References =

Export content from Splunk Enterprise Security as an app

Import content to Splunk Enterprise Security as an app

The Add-On Builder is available from SplunkBase, which is the official source of apps and add-ons for the Splunk platform. SplunkBase allows you to browse, download, and install apps and add-ons that are compatible with your Splunk deployment. You can also upload and share your own apps and add-ons with the Splunk community. The Add-On Builder is a Splunk app that helps you build and validate technology add-ons for your Splunk Enterprise deployment. Technology add-ons are specialized add-ons that help to collect, transform, and normalize data feeds from specific sources in your environment.  The Add-On Builder guides you through the process of creating an add-on, following best practices and naming conventions, maintaining CIM compliance, and testing and validating the add-on 1 . The Add-On Builder is not available from GitHub, www.splunk.com, or the ES installation package. References =

Splunk Add-on Builder | Splunkbase

Splunk Add-on Builder | Splunkbase

According to the Splunk Enterprise Security documentation, the Distributed Configuration Management tool is used to update indexers in ES. This tool allows you to create and distribute a Splunk Enterprise Security app for indexers, which contains the necessary configurations for indexers to work with ES, such as index-time field extractions, tags, and event types. The app name is Splunk_ES_ForIndexers.spl and it is created by running the distributed_config_manager.py script on the search head. You can then deploy the app to the indexers using the deployment server or the cluster master. Therefore, the correct answer is B. Distributed Configuration Management. References =  Distributed Configuration Management .

The Status Configuration window in Splunk Enterprise Security allows you to manage and customize the investigation statuses and the status transitions for notable events. You can specify which roles can change the status of a notable event from one status to another. For example, you can restrict the ess_user role from changing the status of Resolved notable events to Closed by removing the ess_user role from the status transitions for the Closed status. This way, only the roles that have the permission to change the status to Closed can close the Resolved notable events. References =

Manage and customize investigation statuses in Splunk Enterprise Security

 According to the Splunk Enterprise Security documentation, the Status Configuration window allows you to customize the status values and transitions for notable events. You can define which roles can change the status of a notable event from one value to another, and which roles can view the notable events with a specific status. To restrict the users with the ess_user role from being able to change the status of Resolved notable events to closed, you need to do the following steps:

On the Enterprise Security menu bar, select Configure > Incident Management > Status Configuration.

In the Status Configuration window, select the Resolved status from the list of values.

In the Status Transitions section, find the row for the closed status and click the Edit icon.

In the Edit Status Transition dialog box, remove the ess_user role from the Roles field and click Save.

Click Save Changes to apply the changes to the Status Configuration window.

This will prevent the users with the ess_user role from changing the status of any notable event from Resolved to closed. They will still be able to change the status of other notable events to closed, if they have the permission to do so. Therefore, the correct answer is A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status. References =  Customize status values and transitions for notable events .

In order to include an eventtype in a data model node, you need to apply the correct tags to the eventtype. Tags are labels that you can assign to event types to identify them as belonging to a specific category or domain. Tags are used by data models to map event types to data model nodes. For example, if you have an eventtype named windows_performance that contains events related to Windows performance metrics, you can tag it with performance and os.  Then, you can include the eventtype in a data model node that matches those tags, such as the Performance node in the Operating System data model 1 2 .  To apply tags to an eventtype, you can use the Settings > Event types page in Splunk Web, or the eventtypes.conf and tags.conf configuration files 3 .  References  =  1 : About data models - Splunk Documentation - How data models use tags.  2 : Use tags to map event types to data model nodes - Splunk Documentation.  3 : About event types - Splunk Documentation - Tag event types.

The correct answer is B. Normalize data. The Add-on Builder can configure a new add-on to normalize data by mapping the data fields to the Common Information Model (CIM). The CIM provides a common language for describing data across domains and technologies. Normalizing data enables the data to be used by other Splunk apps, such as Splunk Enterprise Security and Splunk IT Service Intelligence. The Add-on Builder can also con figure other features in a new add-on, such as collecting data from various sources, extracting fields from the data, creating alert actions and adaptive response actions, and testing and validating the add-on. However, the Add-on Builder cannot configure an add-on to expire data, summarize data, or translate data. These are not features of the Add-on Builder. References =

Splunk Add-on Builder

[Use the Common Information Model in Splunk Web]

According to the Splunk Reference Architecture document 1 , for ES, Splunk recommends sizing based on 80 to 100 GB ingest per indexer per day. This means an ES deployment with 2 TB daily ingest will require up to 20 indexers. This recommendation is for a non-cloud (on-prem) ES deployment.  For a cloud-based ES deployment, the recommended volume of indexing per day, per indexer, is 50 GB 2 . The other options, 300 GB and 500 MB, are not recommended by Splunk for ES deployments. References =

Splunk Reference Architecture

Performance reference for Splunk Enterprise Security

 The role that should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard is the ess_analyst role. The ess_analyst role is a predefined role in Splunk Enterprise Security that grants the user the ability to view, edit, comment, and change the status and owner of notable events.  The ess_analyst role also allows the user to access the dashboards, reports, and searches related to security analysis and investigation 1 2 .  References  =  1 : Overview of roles and capabilities in Splunk Enterprise Security - Splunk Documentation - ess_analyst role.  2 : Incident Review - Splunk Documentation - Triage notable events on the Incident Review dashboard.

Correlation searches can perform adaptive response actions when they find a pattern in the data. Adaptive response actions are automated or manual responses that you can use to modify your environment based on notable events. For example, you can block an IP address, add a user to a watchlist, or send an email notification. Configuring correlation adaptive responses is part of tuning correlation searches for a new ES installation, as it allows you to customize the actions that are triggered by the correlation searches. You can enable, disable, or modify the adaptive response actions for each correlation search, or create your own custom actions. References =

Configure correlation searches in Splunk Enterprise Security

Adaptive Response Framework overview

According to the Splunk Enterprise Security documentation, the Protocol Intelligence dashboards are the dashboards that support the ability to view and analyze network Stream data. The Protocol Intelligence dashboards provide a summary of network traffic by protocol, such as TCP, UDP, ICMP, and others. They also show the top sources, destinations, ports, and applications for each protocol. The dashboards allow you to filter the data by time range, protocol, source, destination, port, and application. The dashboards also provide drilldown links to other dashboards, such as the Network Resolution dashboard and the Traffic Size Analysis dashboard, for further analysis. The Protocol Intelligence dashboards require the Splunk App for Stream and the Splunk Add-on for Stream to capture and parse network traffic data. Therefore, the correct answer is C. Protocol Intelligence dashboards. References =  Protocol Intelligence dashboards .

Anomali ThreatStream App for Splunk | Splunkbase

According to the Splunk Enterprise Security documentation, the Use Case Library is a feature that contains scenarios that are useful during ES implementation. The Use Case Library provides a collection of Analytic Stories that provide actionable guidance for detecting, analyzing, and addressing security threats. An Analytic Story contains the searches, data sources, and explanations that you need to implement the scenario in your own ES environment. The Use Case Library also allows you to explore, activate, bookmark, and configure the searches that are related to each Analytic Story. You can filter the Analytic Stories by industry use cases, frameworks, or data sources. The Use Case Library helps you to quickly and easily deploy the most relevant security content for your organization. Therefore, the correct answer is A. Use Case Library. References =  Manage Analytic Stories through the use case library in Splunk Enterprise Security .

Splunk Enterprise Security: SIEM Use Case Library | Splunk

The priority column in the asset or identity list is combined with the event severity to make a notable event’s urgency in Splunk Enterprise Security. The urgency is a measure of how important it is to address a notable event, and it is calculated based on a matrix that maps the priority of the asset or identity involved in the event and the severity of the event.  The urgency can be one of the following values: low, medium, high, or critical 1 2 .  For example, by default, medium, high, and critical priority, combined with critical severity, will generate a critical urgency ranking 3 .  References  =  1 : Incident Review - Splunk Documentation - Urgency.  2 : Configure notable event urgency - Splunk Documentation.  3 : Solved: Splunk Enterprise Security: Is there a way to forc… - Splunk Community.

When creating custom correlation searches, you can use the fieldname format to embed field values in the title, description, and drill-down fields of a notable event. This allows you to customize the notable event with dynamic information from the search results. For example, you can use src to include the source IP address of the event, or user to include the user name of the event 1 . References = 1 : Create a correlation search - Splunk Documentation - Define the notable event.

 According to the Splunk Enterprise Security documentation, one of the benefits of data normalization is that searches can be built no matter the specific source technology for a normalized data type. Data normalization is a way to ingest and store data in the Splunk platform using a common format for consistency and efficiency. When data is normalized, it follows the same field names and event tags for equivalent events from different sources or vendors. This allows you to perform cross-source analysis and correlation of security events without worrying about the differences in data formats. For example, if you have data from Windows, Linux, and Mac OS systems, you can normalize them using the Endpoint data model and use the same fields, such as , , and , to search for endpoint events across all systems. Therefore, the correct answer is C. Searches can be built no matter the specific source technology for a normalized data type. References =

Data sources and normalization

Splunk Common Information Model Add-on

Onboarding data to Splunk Enterprise Security

After data is ingested, the data management step that is essential to ensure raw data can be accelerated by a data model and used by ES is normalization to the Splunk Common Information Model (CIM). The CIM is a standard and consistent way of naming and structuring the fields and tags for different types of data, such as network, web, email, authentication, and malware. The CIM allows you to use the same search queries and dashboards across different data sources, even if they have different formats or schemas. Normalizing data to the CIM involves mapping the raw data fields and tags to the CIM fields and tags using technology add-ons. Technology add-ons are Splunk apps that provide the necessary configurations and extractions for specific data sources. By normalizing data to the CIM, you can enable data model acceleration for the data models that use the CIM fields and tags. Data model acceleration is a feature that speeds up searches and reports that use data models by pre-computing and storing the results of the data model queries. Data model acceleration is required for most of the dashboards and correlation searches in Splunk Enterprise Security. References =

Data models in the Splunk Common Information Model

Data model acceleration

 According to the Splunk Enterprise Security documentation, the recommended way to install ES is on a server with a new install of Splunk. This is because ES requires a dedicated search head that is not shared with other apps or users. Installing ES on a server with a new install of Splunk ensures that there are no conflicts or performance issues with other apps or configurations. If you want to install ES on an existing search head, you need to follow some additional steps, such as redirecting distributed search connections, purging KV Store, and backing up existing data. See  Install Splunk Enterprise Security  for more details. Therefore, the correct answer is C. On a server with a new install of Splunk. References =  Install Splunk Enterprise Security .

When investigating an incident in Splunk Enterprise Security, the best way to store a newly-found IOC (indicator of compromise) is to click the “Add Artifact” button. This button allows you to add an artifact to the current investigation from any dashboard or search result. An artifact is a piece of machine data that indicates risk, such as an IP address, a domain name, a file hash, or a user name. By adding an artifact to the investigation, you can enrich the context of the incident, track the artifact across multiple data sources, and share the artifact with other analysts.  You can also use the artifact to create a threat intelligence indicator, which can be used to detect and alert on future threats 1 2 .  References  =  1 : Add artifacts to an investigation - Splunk Documentation.  2 : About investigations in Splunk Enterprise Security - Splunk Documentation.

 The Risk Analysis dashboard provides tools to analyze the risk scores and risk modifiers of various objects, such as systems, users, hashes, and network artifacts. The dashboard shows the risk score by object, the most active sources of risk, the risk score by category, the risk score over time, and the risk modifiers by object. The dashboard also allows you to create ad hoc risk entries, view the risk details of an object, and export the risk data as a CSV file. The other options, A, B, and D, are not correct. The Risk Analysis dashboard does not provide tools to show high risk threats, notable event domains, or key indicators of correlation searches. These are features of other dashboards in Splunk Enterprise Security, such as the Threat Activity dashboard, the Domain Analysis dashboard, and the Correlation Search Audit dashboard. References =

Analyze risk in Splunk Enterprise Security

Risk Analysis dashboard

 The main purpose of the Dashboard Requirements Matrix document is to identify on which data model(s) each dashboard in Splunk Enterprise Security depends. The Dashboard Requirements Matrix document is a web page that lists all the dashboards in Splunk Enterprise Security and the data model datasets that populate them. The data model datasets are linked to the Common Information Model (CIM) documentation, which describes the tags, field names, and field values that the events must use to be CIM-compliant. The Dashboard Requirements Matrix document helps you to determine which data models you need to enable and accelerate for your Splunk Enterprise Security deployment, and which data sources you need to map to the data models using the technology add-ons. References =

Dashboard requirements matrix for Splunk Enterprise Security

Data models in the Splunk Common Information Model

The correlation search feature that is used to throttle the creation of notable events is the window duration. The window duration is the time period during which a correlation search will not create a new notable event for the same issue. For example, if the window duration is set to 1 day, and a correlation search triggers a notable event for a certain condition, such as a brute force attack from a source IP address, the correlation search will not create another notable event for the same condition within the next 24 hours. This prevents the correlation search from generating too many alerts for the same issue, which can reduce the alert fatigue and noise.  The window duration can be configured in the correlation search settings, under the Throttling section 1 2 .  References  =  1 : Create a correlation search - Splunk Documentation - Throttling.  2 : Throttle alerts - Splunk Documentation.

The tstatsHomePath setting in indexes.conf allows you to specify an alternate location for accelerated storage. Accelerated storage is where Splunk Enterprise stores the summary data for data models that are accelerated. The summary data is used to speed up searches and reports that use the data models. By default, the accelerated storage is located in the same volume as the index that contains the events referenced by the data model. However, you can use the tstatsHomePath setting to change the location of the accelerated storage to a different volume or path. This can help you optimize the performance and disk space usage of your Splunk Enterprise deployment. References =

Use the tstatsHomePath setting in indexes.conf if you need to specify alternate locations for your accelerated storage

tstatsHomePath setting in indexes.conf.spec