SPLK-3001 Splunk Enterprise Security Certified Admin Exam Questions and Answers

According to the Splunk Enterprise Security documentation, one of the recommended pre-installation steps is to configure search head forwarding. Search head forwarding is a feature that allows the search head to forward its internal logs and metrics to an indexer or a heavy forwarder for indexing and analysis. This feature helps you monitor the health and performance of the search head and troubleshoot any issues that may arise. You can configure search head forwarding by editing the outputs.conf file on the search head and specifying the destination indexer or forwarder. See Configure search head forwarding for more details.

The other options are not recommended, because they are either unnecessary or harmful for the installation of ES. Disabling the default search app is not a good option, because it may cause some features of ES to not work properly, such as the Content Management page and the navigation editor. Downloading the latest version of KV Store from MongoDB.com is not a good option, because ES uses the built-in KV Store service that comes with Splunk Enterprise and does not require any external installation or configuration. Installing the latest Python distribution on the search head is not a good option, because it may cause compatibility issues with ES, which uses the Python version that comes with Splunk Enterprise. Therefore, the correct answer is B. Configure search head forwarding. References = Configure search head forwarding.

The Status Configuration window in Splunk Enterprise Security allows you to manage and customize the investigation statuses and the status transitions for notable events. You can specify which roles can change the status of a notable event from one status to another. For example, you can restrict the ess_user role from changing the status of Resolved notable events to Closed by removing the ess_user role from the status transitions for the Closed status. This way, only the roles that have the permission to change the status to Closed can close the Resolved notable events. References =

• Manage and customize investigation statuses in Splunk Enterprise Security

After data is ingested, the data management step that is essential to ensure raw data can be accelerated by a data model and used by ES is normalization to the Splunk Common Information Model (CIM). The CIM is a standard and consistent way of naming and structuring the fields and tags for different types of data, such as network, web, email, authentication, and malware. The CIM allows you to use the same search queries and dashboards across different data sources, even if they have different formats or schemas. Normalizing data to the CIM involves mapping the raw data fields and tags to the CIM fields and tags using technology add-ons. Technology add-ons are Splunk apps that provide the necessary configurations and extractions for specific data sources. By normalizing data to the CIM, you can enable data model acceleration for the data models that use the CIM fields and tags. Data model acceleration is a feature that speeds up searches and reports that use data models by pre-computing and storing the results of the data model queries. Data model acceleration is required for most of the dashboards and correlation searches in Splunk Enterprise Security. References =

• Data models in the Splunk Common Information Model
• Data model acceleration

When creating custom correlation searches, you can use the fieldname format to embed field values in the title, description, and drill-down fields of a notable event. This allows you to customize the notable event with dynamic information from the search results. For example, you can use src to include the source IP address of the event, or user to include the user name of the event1. References = 1: Create a correlation search - Splunk Documentation - Define the notable event.

The setting that is used in indexes.conf to specify alternate locations for accelerated storage is tstatsHomePath. Accelerated storage is the location where Splunk Enterprise stores the summary data for accelerated data models and reports. By default, acceleration storage is allocated in the same location as the index containing the raw events being accelerated. However, if you need to specify alternate locations for your accelerated storage, you can use the tstatsHomePath setting in indexes.conf. This setting allows you to define a different path for the summary data, which can improve the performance and efficiency of the data model acceleration. For example, you can set the tstatsHomePath to a faster disk or a different volume than the index homePath12. References = 1: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list. 2: indexes.conf - Splunk Documentation - tstatsHomePath.

Recommended Actions show a list of Adaptive Responses to an analyst, which are possible actions that can be taken in response to a notable event. Adaptive Response Actions run automatically when a correlation search triggers a notable event, and can perform actions such as sending an email, adding a comment, or modifying a risk score. Recommended Actions are configured in the correlation search editor, while Adaptive Response Actions are configured in the alert actions manager. References =

• Included adaptive response actions with Splunk Enterprise Security
• Set up Adaptive Response actions in Splunk Enterprise Security
• Configure adaptive response actions for a correlation search in Splunk Enterprise Security

The correct answer is B. Normalize data. The Add-on Builder can configure a new add-on to normalize data by mapping the data fields to the Common Information Model (CIM). The CIM provides a common language for describing data across domains and technologies. Normalizing data enables the data to be used by other Splunk apps, such as Splunk Enterprise Security and Splunk IT Service Intelligence. The Add-on Builder can also configure other features in a new add-on, such as collecting data from various sources, extracting fields from the data, creating alert actions and adaptive response actions, and testing and validating the add-on. However, the Add-on Builder cannot configure an add-on to expire data, summarize data, or translate data. These are not features of the Add-on Builder. References =

• Splunk Add-on Builder
• [Use the Common Information Model in Splunk Web]

 ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to the $SPLUNK_HOME/etc/shcluster/apps location on the cluster deployer instance. This is the directory where the deployer stores the configuration bundle that it distributes to the search head cluster members. The configuration bundle consists of apps and other configuration files that are not replicated by the cluster. The deployer does not use the $SPLUNK_HOME/etc/master-apps/ directory, which is used by the master node in an indexer cluster. The deployer does not use the $SPLUNK_HOME/etc/system/local/ directory, which is used to store local configuration files for the deployer instance itself. The deployer does not use the $SPLUNK_HOME/var/run/searchpeers/ directory, which is used by the search head to store information about the indexer cluster peers. References =

• Use the deployer to distribute apps and configuration updates - Splunk Documentation
• Install Splunk Enterprise Security in a search head cluster environment - Splunk Documentation

Correlation searches are scheduled searches that run in Splunk Enterprise Security to detect security incidents or other notable events. They can consume a lot of resources and affect the overall search performance. To improve the search performance, you can do the following actions:

• Reduce the frequency (schedule) of lower-priority correlation searches. This will reduce the number of searches that run concurrently and free up some resources for other searches. You can edit the schedule of a correlation search in the Content Management page of Splunk Enterprise Security. See Edit a correlation search in Splunk Enterprise Security for more details.
• Add notable event suppressions for correlation searches with high numbers of false positives. This will prevent the correlation search from generating notable events that are not relevant or actionable, and reduce the load on the Notable Event Framework. You can add suppression rules for a correlation search in the Content Management page of Splunk Enterprise Security. See Suppress notable events in Splunk Enterprise Security for more details.

The other two actions are not recommended, because they can have negative effects on the search performance or the security posture. Disabling indexed real-time search can cause some dashboards and panels to not display data correctly, and increasing the priority of all correlation searches can cause resource contention and degrade the performance of other searches. See Optimize Splunk Enterprise for peak performance and How search types affect Splunk Enterprise performance for more information. References =

• Edit a correlation search in Splunk Enterprise Security
• Suppress notable events in Splunk Enterprise Security
• Optimize Splunk Enterprise for peak performance
• How search types affect Splunk Enterprise performance

The argument to the | tstats command that restricts the search to summarized data only is summariesonly=t. Summarized data is the data that is generated by the data model acceleration process, which creates summary indexes (TSIDX files) for the data models. By using summariesonly=t, the tstats command will only search the summary indexes, which can improve the performance and efficiency of the search. However, this also means that the search will not return any events that are not covered by the data model acceleration, such as events outside the acceleration time range or events that do not match the data model constraints12. References = 1: tstats - Splunk Documentation - summariesonly. 2: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list.

Fun (or Less Agony) with Splunk Tstats | Deductiv

 You can export content from Splunk Enterprise Security as an app from the Content Management page. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. The Content Management page allows you to view, edit, enable, disable, and export content in Splunk Enterprise Security. You can also import content from other ES instances or from the Splunk Security Essentials app. References =

• Export content from Splunk Enterprise Security as an app
• Content Management

According to the Splunk Enterprise Security documentation, one of the actions that may be necessary before installing ES is to redirect distributed search connections. This action is required if you are installing ES on a search head that is already connected to a distributed search environment, such as a search head cluster or a search head pool. You need to redirect the distributed search connections from the existing search head to a new search head that will run ES. This is because ES requires a dedicated search head that is not shared with other apps or users. You can use the Distributed Configuration Management tool to redirect the distributed search connections and create a Splunk Enterprise Security app for indexers. See Redirect distributed search connections for more details.

The other actions are not necessary before installing ES, but they may be helpful for optimizing the performance and scalability of ES. Purging KV Store can free up some disk space and remove stale data, but it is not required before installing ES. See Purge the KV Store for more information. Adding additional indexers can improve the indexing and searching capacity of ES, but it is not required before installing ES. See Deployment planning for more information. Adding additional forwarders can increase the data ingestion and forwarding capability of ES, but it is not required before installing ES. See Forward data to Splunk Enterprise Security for more information. References =

• Redirect distributed search connections
• Purge the KV Store
• Deployment planning
• Forward data to Splunk Enterprise Security.

Data models are the primary source of data for Enterprise Security dashboards. Data models provide a structured and consistent way of defining and retrieving data from indexes. Data models accelerate searches by using prebuilt summaries of the data. Data models also enable the use of the tstats command, which can perform statistical analysis on the data model summaries. Data models are mapped to the Common Information Model (CIM), which provides a common language for describing data across domains and technologies. References =

• About data models
• Use the Common Information Model in Splunk Web

Attachments to investigations are stored in a KV Store collection named investigation_attachment. KV Store is a feature that stores and manages data as key-value pairs. Splunk Enterprise Security uses KV Store to store investigation information in several collections, such as investigation, investigation_event, investigation_lead, and investigation_attachment. You can view or modify the KV Store collections using the KV Store API endpoint. For details about using the KV Store API endpoint, see KV Store endpoint descriptions in the Splunk Enterprise REST API Reference Manual1. The other options, B, C, and D, are not correct. Attachments to investigations are not stored in the notable index, the attachments.csv lookup, or the /etc/apps/SA-Investigations/default/ui/views/attachments directory. References =

• Manage investigations in Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, threat gen searches are searches that generate synthetic events in the threat activity index to simulate security threats. Threat gen searches are useful for testing and validating the correlation searches, notable events, and adaptive response actions in Splunk Enterprise Security. Threat gen searches produce events in the threat activity index, which is a dedicated index for storing the synthetic events. The events in the threat activity index have the sourcetype of threatgen and the tag of threat. You can use the Threat Activity dashboard to view and analyze the events in the threat activity index. See Threat gen searches for more details.

The other options are not correct, because threat gen searches do not produce them. Threat gen searches do not produce threat intel in KV Store collections, which are key-value pairs of data that store and manage threat intelligence in Splunk Enterprise Security. Threat gen searches do not produce threat correlation searches, which are searches that correlate events with threat intelligence and generate notable events in Splunk Enterprise Security. Threat gen searches do not produce threat notables in the notable index, which are alerts or tasks that indicate potential security incidents or threats in Splunk Enterprise Security. Therefore, the correct answer is D. Events in the threat activity index. References = Threat gen searches.

Upping the Auditing Game for Correlation Searches Within ... - Splunk

According to the Splunk Enterprise Security documentation, the default schedule for accelerating ES data models is every 5 minutes. This means that the data model acceleration searches run every 5 minutes to summarize the newly indexed data and store the results in the tsidx files. The 5-minute schedule is recommended for most use cases, as it provides a balance between search performance and resource consumption. However, you can change the schedule of a data model acceleration search in the Content Management page of Splunk Enterprise Security, if needed. See Configure data models for Splunk Enterprise Security for more details. References = Configure data models for Splunk Enterprise Security.

 According to the Splunk Enterprise Security documentation, the Status Configuration window allows you to customize the status values and transitions for notable events. You can define which roles can change the status of a notable event from one value to another, and which roles can view the notable events with a specific status. To restrict the users with the ess_user role from being able to change the status of Resolved notable events to closed, you need to do the following steps:

• On the Enterprise Security menu bar, select Configure > Incident Management > Status Configuration.
• In the Status Configuration window, select the Resolved status from the list of values.
• In the Status Transitions section, find the row for the closed status and click the Edit icon.
• In the Edit Status Transition dialog box, remove the ess_user role from the Roles field and click Save.
• Click Save Changes to apply the changes to the Status Configuration window.

This will prevent the users with the ess_user role from changing the status of any notable event from Resolved to closed. They will still be able to change the status of other notable events to closed, if they have the permission to do so. Therefore, the correct answer is A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status. References = Customize status values and transitions for notable events.

 According to the Splunk Enterprise Security documentation, the bar across the bottom of any ES window is called the Investigation Bar. The Investigation Bar is a tool that helps you create and manage investigations in ES. An investigation is a collection of related notable events, comments, and artifacts that document a security incident or a threat hunting activity. You can use the Investigation Bar to do the following tasks:

• Create a new investigation or open an existing one.
• Add notable events, comments, and artifacts to an investigation.
• Assign an owner and a status to an investigation.
• Share an investigation with other users or roles.
• Export an investigation as a PDF report.

The Investigation Bar also provides a link to the Investigation Workbench, which is a dashboard that shows a timeline and a summary of an investigation. Therefore, the correct answer is B. The Investigation Bar. References = Use the Investigation Bar.

 The main purpose of the Dashboard Requirements Matrix document is to identify on which data model(s) each dashboard in Splunk Enterprise Security depends. The Dashboard Requirements Matrix document is a web page that lists all the dashboards in Splunk Enterprise Security and the data model datasets that populate them. The data model datasets are linked to the Common Information Model (CIM) documentation, which describes the tags, field names, and field values that the events must use to be CIM-compliant. The Dashboard Requirements Matrix document helps you to determine which data models you need to enable and accelerate for your Splunk Enterprise Security deployment, and which data sources you need to map to the data models using the technology add-ons. References =

• Dashboard requirements matrix for Splunk Enterprise Security
• Data models in the Splunk Common Information Model

 The urgency of a notable event is a value that indicates how important or urgent the event is for investigation and response. The urgency of a notable event is determined by two fields: the priority and the severity. The priority is a value that is assigned to an asset or an identity based on how critical or valuable it is for the organization. The priority can be unknown, low, medium, high, or critical. The severity is a value that is assigned to a notable event based on how serious or harmful the event is for the security posture. The severity can be unknown, informational, low, medium, high, or critical. The urgency of a notable event is calculated by combining the priority and the severity values using a lookup table called urgency_lookup. The urgency can be informational, low, medium, high, or critical. You can use the urgency field to prioritize the investigation of notable events in Splunk Enterprise Security. References =

• How urgency is assigned to notable events in Splunk Enterprise Security
• Priority and severity in Splunk Enterprise Security

The Auto Deployment feature of Distributed Configuration Management is a tool that allows you to automatically distribute configuration files, such as indexes.conf, to your Splunk platform instances. However, using this feature to distribute indexes.conf can pose a risk of having indexes with different settings across your instances. This can happen if you have manually edited the indexes.conf file on some of your instances, or if you have different versions of Splunk Enterprise Security installed on different instances. If the indexes have different settings, such as retention policies, storage paths, or bucket sizes, this can cause data inconsistency, search inefficiency, or data loss. Therefore, it is recommended to use the Manual Deployment feature of Distributed Configuration Management to review and validate the indexes.conf file before deploying it to your instances12. References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2: Distributed Configuration Management - Splunk Documentation - Manual Deployment.

 A prefix of Splunk_TA_ would allow an add-on to be automatically imported into Splunk Enterprise Security. Splunk Enterprise Security uses a naming convention to identify and import add-ons that are compatible with the Common Information Model (CIM). Add-ons that start with Splunk_TA_ are automatically imported into Splunk Enterprise Security and mapped to the appropriate data models. Add-ons that do not follow this naming convention must be manually imported and configured in Splunk Enterprise Security1. A prefix of CIM_ or TECH_ does not indicate an add-on that can be automatically imported. A suffix of .spl is the file extension for Splunk apps and add-ons, but it does not guarantee that they are compatible with Splunk Enterprise Security. References =

• Import add-ons into Splunk Enterprise Security

 One way to test for a properly normalized data model is to run a | datamodel search against the data model or a dataset within the data model and compare the results to the CIM documentation for the datamodel. The CIM documentation provides the expected fields, tags, and constraints for each data model and dataset, as well as examples of normalized events. By running a | datamodel search, you can examine the JSON output of the data model or dataset and verify that it matches the CIM specifications. You can also use the search mode option of the | datamodel command to return either results or a search string that you can further inspect or modify. For more information, see datamodel - Splunk Documentation1 and Overview of the Splunk Common Information Model2. References = 1: datamodel - Splunk Documentation 2: Overview of the Splunk Common Information Model

The correlation search feature that is used to throttle the creation of notable events is the window duration. The window duration is the time period during which a correlation search will not create a new notable event for the same issue. For example, if the window duration is set to 1 day, and a correlation search triggers a notable event for a certain condition, such as a brute force attack from a source IP address, the correlation search will not create another notable event for the same condition within the next 24 hours. This prevents the correlation search from generating too many alerts for the same issue, which can reduce the alert fatigue and noise. The window duration can be configured in the correlation search settings, under the Throttling section12. References = 1: Create a correlation search - Splunk Documentation - Throttling. 2: Throttle alerts - Splunk Documentation.

 The point in the ES installation process when Splunk_TA_ForIndexes.spl should be deployed to the indexers is after installing ES on the search head(s) and running the distributed configuration management tool. Splunk_TA_ForIndexes.spl is a Splunk add-on that contains the index-time configurations for the data models used by ES. It is required to be installed on all indexers that receive data from ES data sources, such as network devices, endpoints, threat intelligence feeds, and so on. The recommended way to deploy Splunk_TA_ForIndexes.spl to the indexers is to use the distributed configuration management tool in ES, which is a feature that allows you to automatically distribute configuration files, such as indexes.conf, props.conf, and transforms.conf, to your Splunk platform instances. To use the distributed configuration management tool, you need to first install ES on the search head(s) and then run the tool from the ES menu bar. The tool will prompt you to select the configuration files that you want to deploy, including Splunk_TA_ForIndexes.spl, and the instances that you want to deploy them to, such as indexers, forwarders, or other search heads. The tool will also validate the configuration files and restart the instances as needed12. References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2: Install Splunk Enterprise Security - Splunk Documentation - Install the Splunk Add-on for Indexes.