NEW QUESTION 1
Which correlation search feature is used to throttle the creation of notable events?

• A. Schedule priority.
• B. Window interval.
• C. Window duration.
• D. Schedule windows.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Configurecorrelationsearches

NEW QUESTION 2
After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

• A. Splunk_DS_ForIndexers.spl
• B. Splunk_ES_ForIndexers.spl
• C. Splunk_SA_ForIndexers.spl
• D. Splunk_TA_ForIndexers.spl

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallTechnologyAdd-ons

NEW QUESTION 3
A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

• A. Install ES on the existing search head.
• B. Add a new search head and install ES on it.
• C. Increase the number of CPUs and amount of memory on the search head, then install ES.
• D. Delete the non-CIM-compliant apps from the search head, then install ES.

Answer: B

Explanation:
Reference: https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

NEW QUESTION 4
“10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against what in ES?

• A. A user.
• B. A device.
• C. An asset.
• D. An identity.

Answer: B

NEW QUESTION 5
To observe what network services are in use in a network’s activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

• A. Intrusion Center
• B. Protocol Analysis
• C. User Intelligence
• D. Threat Intelligence

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/NetworkProtectionDomaindashboards

NEW QUESTION 6
Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

• A. A prefix of CIM_
• B. A suffix of .spl
• C. A prefix of TECH_
• D. A prefix of Splunk_TA_

Answer: D

Explanation:
Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/planintegrationes/

NEW QUESTION 7
What is the default schedule for accelerating ES Datamodels?

• A. 1 minute
• B. 5 minutes
• C. 15 minutes
• D. 1 hour

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 8
The Add-On Builder creates Splunk Apps that start with what?

• A. DA-
• B. SA-
• C. TA-
• D. App-

Answer: C

Explanation:
Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/abouttheessolution/

NEW QUESTION 9
Which component normalizes events?

• A. SA-CIM.
• B. SA-Notable.
• C. ES application.
• D. Technology add-on.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

NEW QUESTION 10
Enterprise Security’s dashboards primarily pull data from what type of knowledge object?

• A. Tstats
• B. KV Store
• C. Data models
• D. Dynamic lookups

Answer: C

Explanation:
Reference: https://docs.splunk.com/Splexicon:Knowledgeobject

NEW QUESTION 11
Which argument to the | tstats command restricts the search to summarized data only?

• A. summaries=t
• B. summaries=all
• C. summariesonly=t
• D. summariesonly=all

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 12
What feature of Enterprise Security downloads threat intelligence data from a web server?

• A. Threat Service Manager
• B. Threat Download Manager
• C. Threat Intelligence Parser
• D. Therat Intelligence Enforcement

Answer: B

NEW QUESTION 13
In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?

• A. Save the settings.
• B. Apply the correct tags.
• C. Run the correct search.
• D. Visit the CIM dashboard.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizeOSSECdata

NEW QUESTION 14
Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?

• A. VIP
• B. Priority
• C. Importance
• D. Criticality

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 15
Which indexes are searched by default for CIM data models?

• A. notable and default
• B. summary and notable
• C. _internal and summary
• D. All indexes

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/600354/indexes-searched-by-cim-data-models.html

NEW QUESTION 16
What is the first step when preparing to install ES?

• A. Install ES.
• B. Determine the data sources used.
• C. Determine the hardware required.
• D. Determine the size and scope of installation.

Answer: D

NEW QUESTION 17
Which of the following are examples of sources for events in the endpoint security domain dashboards?

• A. REST API invocations.
• B. Investigation final results status.
• C. Workstations, notebooks, and point-of-sale systems.
• D. Lifecycle auditing of incidents, from assignment to resolution.

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/EndpointProtectionDomaindashboards

NEW QUESTION 18
Who can delete an investigation?

• A. ess_admin users only.
• B. The investigation owner only.
• C. The investigation owner and ess-admin.
• D. The investigation owner and collaborators.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

NEW QUESTION 19
Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute
indexes.conf?

• A. Indexes might crash.
• B. Indexes might be processing.
• C. Indexes might not be reachable.
• D. Indexes have different settings.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf

NEW QUESTION 20
To which of the following should the ES application be uploaded?

• A. The indexer.
• B. The KV Store.
• C. The search head.
• D. The dedicated forwarder.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallEnterpriseSecuritySHC

NEW QUESTION 21
How is notable event urgency calculated?

• A. Asset priority and threat weight.
• B. Alert severity found by the correlation search.
• C. Asset or identity risk and severity found by the correlation search.
• D. Severity set by the correlation search and priority assigned to the associated asset or identity.

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 22
An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

• A. Index consistency.
• B. Data integrity control.
• C. Indexer acknowledgement.
• D. Index access permissions.

Answer: B

Explanation:
Reference: https://answers.splunk.com/answers/790783/anti-tampering-features-to-protect-splunk-logs-the.html

NEW QUESTION 23
If a username does not match the ‘identity’ column in the identities list, which column is checked next?

• A. Email.
• B. Nickname
• C. IP address.
• D. Combination of Last Name, First Name.

Answer: C

NEW QUESTION 24
Adaptive response action history is stored in which index?

• A. cim_modactions
• B. modular_history
• C. cim_adaptiveactions
• D. modular_action_history

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/Indexes

NEW QUESTION 25
......