Independence Day Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

A.

ess_user

B.

ess_admin

C.

ess_analyst

D.

ess_reviewer

Full Access
Question # 5

To which of the following should the ES application be uploaded?

A.

The indexer.

B.

The KV Store.

C.

The search head.

D.

The dedicated forwarder.

Full Access
Question # 6

Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

A.

Security domains.

B.

Threat intel.

C.

Assets.

D.

Domains.

Full Access
Question # 7

Which of the following is part of tuning correlation searches for a new ES installation?

A.

Configuring correlation notable event index.

B.

Configuring correlation permissions.

C.

Configuring correlation adaptive responses.

D.

Configuring correlation result storage.

Full Access
Question # 8

How is it possible to specify an alternate location for accelerated storage?

A.

Configure storage optimization settings for the index.

B.

Update the Home Path setting in indexes, conf

C.

Use the tstatsHomePath setting in props, conf

D.

Use the tstatsHomePath Setting in indexes, conf

Full Access
Question # 9

An administrator is asked to configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

A.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup

B.

Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

C.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup

D.

Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

Full Access
Question # 10

Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?

A.

VIP

B.

Priority

C.

Importance

D.

Criticality

Full Access
Question # 11

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives.

What is a solution for this issue?

A.

Suppress notable events from that correlation search.

B.

Disable acceleration for the correlation search to reduce storage requirements.

C.

Modify the correlation schedule and sensitivity for your site.

D.

Change the correlation search's default status and severity.

Full Access
Question # 12

A newly built custom dashboard needs to be available to a team of security analysts In ES. How is It possible to Integrate the new dashboard?

A.

Add links on the ES home page to the new dashboard.

B.

Create a new role Inherited from es_analyst, make the dashboard permissions read-only, and make this dashboard the default view for the new role.

C.

Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu.

D.

Add the dashboard to a custom add-in app and install it to ES using the Content Manager.

Full Access
Question # 13

Enterprise Security’s dashboards primarily pull data from what type of knowledge object?

A.

Tstats

B.

KV Store

C.

Data models

D.

Dynamic lookups

Full Access
Question # 14

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

A.

thawedPath

B.

tstatsHomePath

C.

summaryHomePath

D.

warmToColdScript

Full Access
Question # 15

Which columns in the Assets lookup are used to identify an asset in an event?

A.

src, dvc, dest

B.

cidr, port, netbios, saml

C.

ip, mac, dns, nt_host

D.

host, hostname, url, address

Full Access
Question # 16

An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

A.

Index consistency.

B.

Data integrity control.

C.

Indexer acknowledgement.

D.

Index access permissions.

Full Access
Question # 17

Which data model populated the panels on the Risk Analysis dashboard?

A.

Risk

B.

Audit

C.

Domain analysis

D.

Threat intelligence

Full Access
Question # 18

What can be exported from ES using the Content Management page?

A.

Only correlation searches, managed lookups, and glass tables.

B.

Only correlation searches.

C.

Any content type listed in the Content Management page.

D.

Only correlation searches, glass tables, and workbench panels.

Full Access
Question # 19

When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

A.

Configure the add-ons according to their README or documentation.

B.

Disable the add-ons until they are ready to be used, then enable the add-ons.

C.

Nothing, there are no additional steps for add-ons.

D.

Configure the add-ons via the Content Management dashboard.

Full Access
Question # 20

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

A.

Edit the search and modify the notable event status field to make the notable events less urgent.

B.

Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.

C.

Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.

D.

Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Full Access
Question # 21

How is it possible to navigate to the list of currently-enabled ES correlation searches?

A.

Configure -> Correlation Searches -> Select Status “Enabled”

B.

Settings -> Searches, Reports, and Alerts -> Filter by Name of “Correlation”

C.

Configure -> Content Management -> Select Type “Correlation” and Status “Enabled”

D.

Settings -> Searches, Reports, and Alerts -> Select App of “SplunkEnterpriseSecuritySuite” and filter by “- Rule”

Full Access
Question # 22

How should an administrator add a new look up through the ES app?

A.

Upload the lookup file in Settings -> Lookups -> Lookup Definitions

B.

Upload the lookup file in Settings -> Lookups -> Lookup table files

C.

Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups

D.

Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Full Access
Question # 23

Which of the following is a recommended pre-installation step?

A.

Disable the default search app.

B.

Configure search head forwarding.

C.

Download the latest version of KV Store from MongoDBxom.

D.

Install the latest Python distribution on the search head.

Full Access
Question # 24

Which two fields combine to create the Urgency of a notable event?

A.

Priority and Severity.

B.

Priority and Criticality.

C.

Criticality and Severity.

D.

Precedence and Time.

Full Access
Question # 25

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

A.

Splunk_DS_ForIndexers.spl

B.

Splunk_ES_ForIndexers.spl

C.

Splunk_SA_ForIndexers.spl

D.

Splunk_TA_ForIndexers.spl

Full Access
Question # 26

After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?

A.

Applying Tags.

B.

Normalization to Customer Standard.

C.

Normalization to the Splunk Common Information Model.

D.

Extracting Fields.

Full Access
Question # 27

What is the default schedule for accelerating ES Datamodels?

A.

1 minute

B.

5 minutes

C.

15 minutes

D.

1 hour

Full Access
Question # 28

Which of these Is a benefit of data normalization?

A.

Reports run faster because normalized data models can be optimized for better performance.

B.

Dashboards take longer to build.

C.

Searches can be built no matter the specific source technology for a normalized data type.

D.

Forwarder-based inputs are more efficient.

Full Access
Question # 29

Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

A.

Lookup searches.

B.

Summarized data.

C.

Security metrics.

D.

Metrics store searches.

Full Access