Which of the following are examples of sources for events in the endpoint security domain dashboards?
A.
REST API invocations.
B.
Investigation final results status.
C.
Workstations, notebooks, and point-of-sale systems.
D.
Lifecycle auditing of incidents, from assignment to resolution.
Lifecycle auditing of incidents, from assignment to resolution.
Reference:
https://docs.splunk.com/Documentation/ES/6.1.0/User/EndpointProtectionDomaindashboar
ds
After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?
A.
Splunk_DS_ForIndexers.spl
B.
Splunk_ES_ForIndexers.spl
C.
Splunk_SA_ForIndexers.spl
D.
Splunk_TA_ForIndexers.spl
Splunk_TA_ForIndexers.spl
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallTechnologyAddons
What is the bar across the bottom of any ES window?
A.
The Investigator Workbench.
B.
The Investigation Bar.
C.
The Analyst Bar.
D.
The Compliance Bar.
The Investigation Bar.
Reference: https://docs.splunk.com/Documentation/ES/6.4.1/User/Startaninvestigation
Which of the following is an adaptive action that is configured by default for ES?
A.
Create notable event
B.
Create new correlation search
C.
Create investigation
D.
Create new asset
Create new correlation search
Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?
A.
Lookup searches.
B.
Summarized data.
C.
Security metrics.
D.
Metrics store searches.
Security metrics.
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/CreateGlassTable
What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?
A.
Configure -> Incident Management -> Notable Event Statuses
B.
Configure -> Content Management -> Type: Correlation Search
C.
Configure -> Incident Management -> Incident Review Settings -> Event Management
D.
Configure -> Incident Management -> Incident Review Settings -> Table Attributes
Configure -> Incident Management -> Incident Review Settings -> Table Attributes
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Customizenotables
Where is it possible to export content, such as correlation searches, from ES?
A.
Content exporter
B.
Configure -> Content Management
C.
Export content dashboard
D.
Settings Menu -> ES -> Export
Configure -> Content Management
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Export
An administrator is asked to configure an “Nslookup” adaptive response action, so that it
appears as a selectable option in the notable event’s action menu when an analyst is
working in the Incident Review dashboard. What steps would the administrator take to
configure this option?
A.
Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup
B.
Configure -> Type: Correlation Search -> Notable -> Recommended Actions ->
Nslookup
C.
Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup
D.
Configure -> Content Management -> Type: Correlation Search -> Notable ->
Recommended Actions -> Nslookup
Configure -> Content Management -> Type: Correlation Search -> Notable ->
Recommended Actions -> Nslookup
Which of the following are data models used by ES? (Choose all that apply)
A.
Web
B.
Anomalies
C.
Authentication
D.
Network Traffic
Web
Authentication
Network Traffic
Reference:
https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/datamodelsusedbye
s/
ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?
A.
$SPLUNK_HOME/etc/master-apps/
B.
$SPLUNK_HOME/etc/system/local/
C.
$SPLUNK_HOME/etc/shcluster/apps
D.
$SPLUNK_HOME/var/run/searchpeers
$SPLUNK_HOME/etc/shcluster/apps
Explanation:
The upgraded contents of the staging instance will be migrated back to the deployer and
deployed to the search head cluster members. On the staging instance, copy
$SPLUNK_HOME/etc/apps to
$SPLUNK_HOME/etc/shcluster/apps on the deployer. 1. On the deployer, remove any
deprecated apps or add-ons in $SPLUNK_HOME/etc/shcluster/apps that were removed
during the upgrade on staging. Confirm by reviewing the ES upgrade report generated on
staging, or by examining the apps moved into
$SPLUNK_HOME/etc/disabled-apps on staging
Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?
A.
Administrative Identities
B.
Local User Intel
C.
Identities
D.
Privileged Accounts
Identities
How is notable event urgency calculated?
A.
Asset priority and threat weight.
B.
Alert severity found by the correlation search.
C.
Asset or identity risk and severity found by the correlation search.
D.
Severity set by the correlation search and priority assigned to the associated asset or identity.
Severity set by the correlation search and priority assigned to the associated asset or identity.
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned
| Page 2 out of 9 Pages |
| Previous |