SPLK-3001 Online Practice Questions and Answers

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

A. Configure the add-ons according to their README or documentation.

B. Disable the add-ons until they are ready to be used, then enable the add-ons.

C. Nothing, there are no additional steps for add-ons.

D. Configure the add-ons via the Content Management dashboard.

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

A. $fieldname$

B. "fieldname"

C. %fieldname%

D. _fieldname_

When investigating, what is the best way to store a newly-found IOC?

A. Paste it into Notepad.

B. Click the "Add IOC" button.

C. Click the "Add Artifact" button.

D. Add it in a text note to the investigation.

Who can delete an investigation?

A. ess_admin users only.

B. The investigation owner only.

C. The investigation owner and ess-admin.

D. The investigation owner and collaborators.

What is the default schedule for accelerating ES Datamodels?

A. 1 minute

B. 5 minutes

C. 15 minutes

D. 1 hour

What is an example of an ES asset?

A. MAC address

B. User name

C. Server

D. People

Which of the following actions may be necessary before installing ES?

A. Redirect distributed search connections.

B. Purge KV Store.

C. Add additional indexers.

D. Add additional forwarders.

Following the Installation of ES, an admin configured Leers with the ﹕s_uso r role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to closed?

A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.

B. From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.

C. In Enterprise Security, give the ess_user role the own Notable Events permission.

D. From Splunk Access Controls, select the ess_user role and remove the edit_notabie_events capability.

At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

A. When adding apps to the deployment server.

B. Splunk_TA_ForIndexers.spl is installed first.

C. After installing ES on the search head(s) and running the distributed configuration management tool.

D. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

To which of the following should the ES application be uploaded?

A. The indexer.

B. The KV Store.

C. The search head.

D. The dedicated forwarder.