SPLK-3001 Online Practice Questions and Answers

Where is detailed information about identities stored?

A. The Identity Investigator index.

B. The Access Anomalies collection.

C. The User Activity index.

D. The Identity Lookup CSV file.

Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?

A. Administrative Identities

B. Local User Intel

C. Identities

D. Privileged Accounts

Which settings indicated that the correlation search will be executed as new events are indexed?

A. Always-On

B. Real-Time

C. Scheduled

D. Continuous

Where should an ES search head be installed?

A. On a Splunk server with top level visibility.

B. On any Splunk server.

C. On a server with a new install of Splunk.

D. On a Splunk server running Splunk DB Connect.

Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

A. Security domains.

B. Threat intel.

C. Assets.

D. Domains.

What should be used to map a non-standard field name to a CIM field name?

A. Field alias.

B. Search time extraction.

C. Tag.

D. Eventtype.

After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?

A. Applying Tags.

B. Normalization to Customer Standard.

C. Normalization to the Splunk Common Information Model.

D. Extracting Fields.

What do threat gen searches produce?

A. Threat Intel in KV Store collections.

B. Threat correlation searches.

C. Threat notables in the notable index.

D. Events in the threat_activity index.

Analysts have requested the ability to capture and analyze network traffic data. The administrator has researched the documentation and, based on this research, has decided to integrate the Splunk App for Stream with ES.

Which dashboards will now be supported so analysts can view and analyze network Stream data?

A. Endpoint dashboards.

B. User Intelligence dashboards.

C. Protocol Intelligence dashboards.

D. Web Intelligence dashboards.

Which of the following is part of tuning correlation searches for a new ES installation?

A. Configuring correlation notable event index.

B. Configuring correlation permissions.

C. Configuring correlation adaptive responses.

D. Configuring correlation result storage.