SPLK-3001 Exam Dumps - Splunk Enterprise Security Certified Admin Questions and Answers

According to the Splunk Enterprise Security documentation, the first step when preparing to install ES is to determine the size and scope of installation. This involves estimating the amount of data that you plan to ingest, the number of users that will access ES, the number of search heads and indexers that you need, and the hardware requirements for each component. This step helps you plan your deployment architecture and ensure optimal performance and scalability of ES. Therefore, the correct answer is D. Determine the size and scope of installation. References = Deployment planning.

After installing the add-ons necessary for normalizing data, you should configure the add-ons according to their README or documentation. The add-ons that are included in the Splunk Enterprise Security package are preconfigured and do not require additional steps. However, the add-ons that are downloaded separately from Splunkbase may require additional configuration steps, such as enabling inputs, setting up credentials, or modifying props and transforms. You should review the README or documentation for each add-on to determine the specific configuration requirements and follow the instructions accordingly. References =

• Deploy add-ons to Splunk Enterprise Security
• About installing Splunk add-ons

The priority column in the asset or identity list is combined with the event severity to make a notable event’s urgency in Splunk Enterprise Security. The urgency is a measure of how important it is to address a notable event, and it is calculated based on a matrix that maps the priority of the asset or identity involved in the event and the severity of the event. The urgency can be one of the following values: low, medium, high, or critical12. For example, by default, medium, high, and critical priority, combined with critical severity, will generate a critical urgency ranking3. References = 1: Incident Review - Splunk Documentation - Urgency. 2: Configure notable event urgency - Splunk Documentation. 3: Solved: Splunk Enterprise Security: Is there a way to forc… - Splunk Community.

A field alias is a knowledge object that maps a non-standard field name to a CIM field name. A field alias allows you to use the same search string to retrieve data from different data sources, even if the data sources use different field names for the same type of data. For example, if you have data sources that use different field names for the source IP address, such as src_ip, source_ip, or sip, you can create a field alias that maps these field names to the CIM field name src. This way, you can use src as a common field name in your searches and reports, and Splunk will automatically replace it with the appropriate field name for each data source. Field aliases are applied at search time, so they do not affect the original data or the index time field extractions. References =

• Normalizing values to a common field name with the Common Information Model (CIM)
• Field aliases

Onboarding data to Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, the Protocol Intelligence dashboards are the dashboards that support the ability to view and analyze network Stream data. The Protocol Intelligence dashboards provide a summary of network traffic by protocol, such as TCP, UDP, ICMP, and others. They also show the top sources, destinations, ports, and applications for each protocol. The dashboards allow you to filter the data by time range, protocol, source, destination, port, and application. The dashboards also provide drilldown links to other dashboards, such as the Network Resolution dashboard and the Traffic Size Analysis dashboard, for further analysis. The Protocol Intelligence dashboards require the Splunk App for Stream and the Splunk Add-on for Stream to capture and parse network traffic data. Therefore, the correct answer is C. Protocol Intelligence dashboards. References = Protocol Intelligence dashboards.

Anomali ThreatStream App for Splunk | Splunkbase

The ES application should be uploaded to the search head, which is the component that runs the ES user interface and executes the searches, alerts, and reports. The search head should be dedicated to ES and not run any other applications. The indexer is the component that indexes the data and stores it in buckets. The KV Store is a feature that stores and manages data as key-value pairs. The dedicated forwarder is a component that collects data from various sources and forwards it to the indexer. None of these components can run the ES application. References =

• [Install Splunk Enterprise Security]
• [Splunk Enterprise architecture]

 According to the Splunk Enterprise Security documentation, the recommended way to install ES is on a server with a new install of Splunk. This is because ES requires a dedicated search head that is not shared with other apps or users. Installing ES on a server with a new install of Splunk ensures that there are no conflicts or performance issues with other apps or configurations. If you want to install ES on an existing search head, you need to follow some additional steps, such as redirecting distributed search connections, purging KV Store, and backing up existing data. See Install Splunk Enterprise Security for more details. Therefore, the correct answer is C. On a server with a new install of Splunk. References = Install Splunk Enterprise Security.

 The point in the ES installation process when Splunk_TA_ForIndexes.spl should be deployed to the indexers is after installing ES on the search head(s) and running the distributed configuration management tool. Splunk_TA_ForIndexes.spl is a Splunk add-on that contains the index-time configurations for the data models used by ES. It is required to be installed on all indexers that receive data from ES data sources, such as network devices, endpoints, threat intelligence feeds, and so on. The recommended way to deploy Splunk_TA_ForIndexes.spl to the indexers is to use the distributed configuration management tool in ES, which is a feature that allows you to automatically distribute configuration files, such as indexes.conf, props.conf, and transforms.conf, to your Splunk platform instances. To use the distributed configuration management tool, you need to first install ES on the search head(s) and then run the tool from the ES menu bar. The tool will prompt you to select the configuration files that you want to deploy, including Splunk_TA_ForIndexes.spl, and the instances that you want to deploy them to, such as indexers, forwarders, or other search heads. The tool will also validate the configuration files and restart the instances as needed12. References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2: Install Splunk Enterprise Security - Splunk Documentation - Install the Splunk Add-on for Indexes.

Glass tables can display static images and text, the results of ad-hoc searches, and security metrics. Security metrics are visualizations that show the values of KPIs, service health scores, or notable events. You can add security metrics to a glass table by using the Security Metrics menu in the glass table editor. You can also configure the appearance, behavior, and drilldown options of the security metrics. Glass tables cannot display lookup searches, summarized data, or metrics store searches directly, although you can use these types of searches as data sources for ad-hoc searches and then display the results on a glass table. References =

• Add security metrics to a glass table in Splunk Enterprise Security
• Create and manage glass tables in Splunk Enterprise Security