NEW QUESTION 1
What is the default schedule for accelerating ES Datamodels?

• A. 1 minute
• B. 5 minutes
• C. 15 minutes
• D. 1 hour

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 2
What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

• A. ess_user
• B. ess_admin
• C. ess_analyst
• D. ess_reviewer

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Triagenotableevents

NEW QUESTION 3
Which data model populated the panels on the Risk Analysis dashboard?

• A. Risk
• B. Audit
• C. Domain analysis
• D. Threat intelligence

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/RiskAnalysis#Dashboard_panels

NEW QUESTION 4
How is it possible to navigate to the ES graphical Navigation Bar editor?

• A. Configure -> Navigation Menu
• B. Configure -> General -> Navigation
• C. Settings -> User Interface -> Navigation -> Click on “Enterprise Security”
• D. Settings -> User Interface -> Navigation Menus -> Click on “default” next to SplunkEnterpriseSecuritySuite

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Customizemenubar#Restore_the_default_navigation

NEW QUESTION 5
Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

• A. A prefix of CIM_
• B. A suffix of .spl
• C. A prefix of TECH_
• D. A prefix of Splunk_TA_

Answer: D

Explanation:
Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/planintegrationes/

NEW QUESTION 6
How should an administrator add a new lookup through the ES app?

• A. Upload the lookup file in Settings -> Lookups -> Lookup Definitions
• B. Upload the lookup file in Settings -> Lookups -> Lookup table files
• C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
• D. Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Createlookups

NEW QUESTION 7
Which of the following actions would not reduce the number of false positives from a correlation search?

• A. Reducing the severity.
• B. Removing throttling fields.
• C. Increasing the throttling window.
• D. Increasing threshold sensitivity.

Answer: A

NEW QUESTION 8
If a username does not match the ‘identity’ column in the identities list, which column is checked next?

• A. Email.
• B. Nickname
• C. IP address.
• D. Combination of Last Name, First Name.

Answer: C

NEW QUESTION 9
Which of the following ES features would a security analyst use while investigating a network anomaly notable?

• A. Correlation editor.
• B. Key indicator search.
• C. Threat download dashboard.
• D. Protocol intelligence dashboard.

Answer: D

Explanation:
Reference: https://www.splunk.com/en_us/products/premium-solutions/splunk-enterprise-security/features.html

NEW QUESTION 10
Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute
indexes.conf?

• A. Indexes might crash.
• B. Indexes might be processing.
• C. Indexes might not be reachable.
• D. Indexes have different settings.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf

NEW QUESTION 11
Where are attachments to investigations stored?

• A. KV Store
• B. notable index
• C. attachments.csv lookup
• D. <splunk_home>/etc/apps/SA-Investigations/default/ui/views/attachments

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

NEW QUESTION 12
When investigating, what is the best way to store a newly-found IOC?

• A. Paste it into Notepad.
• B. Click the “Add IOC” button.
• C. Click the “Add Artifact” button.
• D. Add it in a text note to the investigation.

Answer: B

NEW QUESTION 13
An administrator is asked to configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

• A. Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup
• B. Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
• C. Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup
• D. Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

Answer: D

NEW QUESTION 14
Which correlation search feature is used to throttle the creation of notable events?

• A. Schedule priority.
• B. Window interval.
• C. Window duration.
• D. Schedule windows.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Configurecorrelationsearches

NEW QUESTION 15
What kind of value is in the red box in this picture?

• A. A risk score.
• B. A source ranking.
• C. An event priority.
• D. An IP address rating.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/FormateventsforHTTPEventCollector

NEW QUESTION 16
How is notable event urgency calculated?

• A. Asset priority and threat weight.
• B. Alert severity found by the correlation search.
• C. Asset or identity risk and severity found by the correlation search.
• D. Severity set by the correlation search and priority assigned to the associated asset or identity.

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 17
An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

• A. OS: 32 bit, RAM: 16 MB, CPU: 12 cores
• B. OS: 64 bit, RAM: 32 MB, CPU: 12 cores
• C. OS: 64 bit, RAM: 12 MB, CPU: 16 cores
• D. OS: 64 bit, RAM: 32 MB, CPU: 16 cores

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Capacity/Referencehardware

NEW QUESTION 18
Which settings indicated that the correlation search will be executed as new events are indexed?

• A. Always-On
• B. Real-Time
• C. Scheduled
• D. Continuous

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Configurecorrelationsearches

NEW QUESTION 19
Where is it possible to export content, such as correlation searches, from ES?

• A. Content exporter
• B. Configure -> Content Management
• C. Export content dashboard
• D. Settings Menu -> ES -> Export

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Export

NEW QUESTION 20
ES needs to be installed on a search head with which of the following options?

• A. No other apps.
• B. Any other apps installed.
• C. All apps removed except for TA-*.
• D. Only default built-in and CIM-compliant apps.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallEnterpriseSecurity

NEW QUESTION 21
The Add-On Builder creates Splunk Apps that start with what?

• A. DA-
• B. SA-
• C. TA-
• D. App-

Answer: C

Explanation:
Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/abouttheessolution/

NEW QUESTION 22
......