Splunk Enterprise Security Certified Admin SPLK-3001 Exam Dumps

Attachments to investigations are stored in a KV Store collection named investigation_attachment. KV Store is a feature that stores and manages data as key-value pairs. Splunk Enterprise Security uses KV Store to store investigation information in several collections, such as investigation, investigation_event, investigation_lead, and investigation_attachment. You can view or modify the KV Store collections using the KV Store API endpoint. For details about using the KV Store API endpoint, see KV Store endpoint descriptions in the Splunk Enterprise REST API Reference Manual1. The other options, B, C, and D, are not correct. Attachments to investigations are not stored in the notable index, the attachments.csv lookup, or the /etc/apps/SA-Investigations/default/ui/views/attachments directory. References =

• Manage investigations in Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, an asset is a physical or logical device that is part of your network infrastructure, such as a server, a workstation, a router, or a firewall. An asset can have various attributes, such as IP address, MAC address, DNS name, NT host name, priority, business unit, owner, and others. Splunk Enterprise Security uses asset data to enrich and correlate security events and provide context for analysis. You can manage asset data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details.

The other options are not examples of ES assets, but they may be related to other types of data. A MAC address is an attribute of an asset, not an asset itself. A user name is an example of an identity, which is a person or group that is associated with an asset or an event. Splunk Enterprise Security uses identity data to enrich and correlate security events and provide context for analysis. You can manage identity data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details. People is a data model in the Splunk Common Information Model (CIM), which provides a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. The People data model contains the fields and tags for events that are related to people, such as user names, email addresses, phone numbers, and others. See People for more details. Therefore, the correct answer is C. Server. References =

• Manage assets and identities in Splunk Enterprise Security
• People

 This is because ES is a resource-intensive application that requires a dedicated search head with sufficient CPU and memory. Installing ES on the existing search head may cause performance issues and conflicts with other applications. Deleting the non-CIM-compliant apps from the search head is not recommended, as they are mission-critical for the site. Increasing the number of CPUs and amount of memory on the search head may not be enough to handle the load of ES and other applications. Therefore, option B is the most suitable answer. You can find more information about installing ES on this web page1.

 If a username does not match the ‘identity’ column in the identities list, Splunk Enterprise Security checks the ‘email’ column next. The ‘email’ column contains the email address associated with the identity. If the email address matches the username, Splunk Enterprise Security assigns the identity to the user. If the email address does not match, Splunk Enterprise Security checks the ‘nickname’ column next, followed by the ‘ip’ column, and finally the ‘last_name’ and ‘first_name’ columns. The order of the columns is determined by the identity_match setting in the identity_manager.conf file. References =

• Identity correlation
• identity_manager.conf