Splunk SPLK-3001 Exam Practice Test Instant Access

Question 1

A newly built custom dashboard needs to be available to a team of security analysts In ES. How is It possible to Integrate the new dashboard?

AAdd links on the ES home page to the new dashboard.

BCreate a new role Inherited from es_analyst, make the dashboard permissions read-only, and make this dashboard the default view for the new role.

CSet the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu.

DAdd the dashboard to a custom add-in app and install it to ES using the Content Manager.

Answer : C

Question 2

How is notable event urgency calculated?

AAsset priority and threat weight.

BAlert severity found by the correlation search.

CAsset or identity risk and severity found by the correlation search.

DSeverity set by the correlation search and priority assigned to the associated asset or identity.

Answer : D

Question 3

Who can delete an investigation?

Aess_admin users only.

BThe investigation owner only.

CThe investigation owner and ess-admin.

DThe investigation owner and collaborators.

Answer : A

Question 4

Which of the following is a way to test for a property normalized data model?

AUse Audit -> Normalization Audit and check the Errors panel.

BRun a | datamodel search, compare results to the CIM documentation for the datamodel.

CRun a | loadjob search, look at tag values and compare them to known tags based on the encoding.

DRun a | datamodel search and compare the results to the list of data models in the ES normalization guide.

Answer : B

Question 5

What kind of value is in the red box in this picture?

AA risk score.

BA source ranking.

CAn event priority.

DAn IP address rating.

Answer : A

Question 6

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

AUse new app names each time content is exported.

BDo not use the .spl extension when naming an export.

CAlways include existing and new content for each export.

DEither use new app names or always include both existing and new content.

Answer : D

Either use new app names each time (which could be difficult to manage) or make sure you always include all content (old and new) each time you export.

Question 7

Both ''Recommended Actions'' and ''Adaptive Response Actions'' use adaptive response. How do they differ?

ARecommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.

BRecommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.

CRecommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.

DRecommended Actions show a list of Adaptive Resposes to an analyst, Adaptive Response Actions run manually with analyst intervention.

Answer : D

Splunk Enterprise Security Certified Admin SPLK-3001 Exam Practice Test