Notes: Hi all, Splunk Enterprise Security Certified Admin SPLK-3001 Practice Exam Part 2 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take Splunk Enterprise Security Certified Admin SPLK-3001 Actual Exam Version because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.
16. Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?
A. Indexers might crash.
B. Indexers might be processing.
C. Indexers might not be reachable.
D. Indexers have different settings.
17. Which of the following are data models used by ES? (Choose all that apply.)
D. Network Traffic
18. At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?
A. When adding apps to the deployment server.
B. Splunk_TA_ForIndexers.spl is installed first.
C. After installing ES on the search head(s) and running the distributed configuration management tool.
D. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.
19. Which correlation search feature is used to throttle the creation of notable events?
A. Schedule priority.
B. Window interval.
C. Window duration.
D. Schedule window.
20. Both “Recommended Actions” and “Adaptive Response Actions” use adaptive response. How do they differ?
A. Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.
B. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.
C. Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.
D. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run manually with analyst intervention.
21. What does the Security Posture dashboard display?
A. Active investigations and their status.
B. A high-level overview of notable events.
C. Current threats being tracked by the SOC.
D. A display of the status of security tools.
22. “10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against what in ES?
A. A user.
B. A device.
C. An asset.
D. An identity.
23. How should an administrator add a new lookup through the ES app?
A. Upload the lookup file in Settings -> Lookups -> Lookup Definitions
B. Upload the lookup file in Settings -> Lookups -> Lookup table files
C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
D. Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup
24. Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?
A. Lookup searches.
B. Summarized data.
C. Security metrics.
D. Metrics store searches.
25. Which of the following is a key feature of a glass table?
C. Interactive investigations.
D. Strong data for later retrieval.
26. An administrator is asked to configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?
A. Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup
B. Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
C. Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup
D. Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
27. What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?
A. Configure -> Incident Management -> Notable Event Statuses
B. Configure -> Content Management -> Type: Correlation Search
C. Configure -> Incident Management -> Incident Review Settings -> Event Management
D. Configure -> Incident Management -> Incident Review Settings -> Table Attributes
28. To observe what network services are in use in a network’s activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?
A. Intrusion Center
B. Protocol Analysis
C. User Intelligence
D. Threat Intelligence
29. Adaptive response action history is stored in which index?
30. Which of the following actions would not reduce the number of false positives from a correlation search?
A. Reducing the severity.
B. Removing throttling fields.
C. Increasing the throttling window.
D. Increasing threshold sensitivity.