Selected SPLK-3001 Splunk Enterprise Security Certified Admin Questions Answers

According to the Splunk Enterprise Security documentation, when using the Distributed Configuration Management tool to create the Splunk_TA_ForIndexers package, you can include the following three files:

• indexes.conf: This file defines the indexes that are used by Splunk Enterprise Security, such as main, summary, and notable. It also specifies the index settings, such as retention policy, replication factor, and search factor. See indexes.conf for more details.
• props.conf: This file defines the properties of the data sources that are ingested by Splunk Enterprise Security, such as sourcetype, timestamp, line breaking, and field extraction. It also specifies the data model mappings, tags, and event types for the data sources. See props.conf for more details.
• transforms.conf: This file defines the transformations that are applied to the data sources that are ingested by Splunk Enterprise Security, such as lookup definitions, field aliases, field formats, and calculated fields. It also specifies the regex patterns, delimiters, and formats for the transformations. See transforms.conf for more details.

Therefore, the correct answer is A. indexes.conf, props.conf, transforms.conf. References =

• indexes.conf
• props.conf
• transforms.conf

Assigning Role Based Permissions in Splunk Enterprise Security

Splunk Enterprise Security knows the local customer domain names so it can detect internal vs. external emails by using the Corporate Web and Email Domain Lookups. These are lookup files that contain the list of domains that are considered internal or corporate for the organization. The Corporate Web and Email Domain Lookups are edited during the initial configuration of Splunk Enterprise Security, and they are used to enrich events with the tag=internal_web or tag=internal_email fields. These fields indicate whether the web or email activity is internal or external, and they are used by dashboards and correlation searches in Splunk Enterprise Security to monitor and analyze the web and email traffic. References =

• Corporate Web and Email Domain Lookups
• Configure web and email domains in Splunk Enterprise Security

Detecting Typosquatting, Phishing, and Corporate Espionage ... - Splunk

If the number of failed logins is greater than or equal to the threshold value, the search triggers a notable event. To make the search less sensitive, the threshold value can be increased, so that only more frequent failed logins will trigger a notable event. For example, the default threshold value is 4, which means that 4 or more failed logins within a 1-minute window will trigger a notable event. If the threshold value is changed to 10, then only 10 or more failed logins within a 1-minute window will trigger a notable event. References =

• Splunk Enterprise Security Admin Manual
• Detecting brute force access behavior

 Adaptive response action history is stored in the cim_modactions index. This index contains the events generated by the adaptive response actions that are triggered by correlation searches or run manually from Incident Review. You can use this index to search, audit, and report on the adaptive response actions that have been executed in your environment. You can also view the adaptive response action history on the Adaptive Response dashboard in Enterprise Security1. References =

• Adaptive Response dashboard - Splunk Documentation