合格できるSplunk Splunk Enterprise Security Certified Admin Exam試験最速合格保証最近更新されたJPNTest問題集!
合格できるSPLK-3001試験の101問題で最適なJPNTest出題問題
質問 # 43
The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?
- A. Edit the search and modify the notable event status field to make the notable events less urgent.
- B. Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
- C. Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
- D. Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.
正解:B
質問 # 44
What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?
- A. ess_reviewer
- B. ess_admin
- C. ess_user
- D. ess_analyst
正解:D
質問 # 45
Which of these Is a benefit of data normalization?
- A. Dashboards take longer to build.
- B. Reports run faster because normalized data models can be optimized for better performance.
- C. Forwarder-based inputs are more efficient.
- D. Searches can be built no matter the specific source technology for a normalized data type.
正解:D
解説:
Explanation
According to the Splunk Enterprise Security documentation, one of the benefits of data normalization is that searches can be built no matter the specific source technology for a normalized data type. Data normalization is a way to ingest and store data in the Splunk platform using a common format for consistency and efficiency.
When data is normalized, it follows the same field names and event tags for equivalent events from different sources or vendors. This allows you to perform cross-source analysis and correlation of security events without worrying about the differences in data formats. For example, if you have data from Windows, Linux, and Mac OS systems, you can normalize them using the Endpoint data model and use the same fields, such as ,
, and , to search for endpoint events across all systems. Therefore, the correct answer is C. Searches can be built no matter the specific source technology for a normalized data type. References = Data sources and normalization Splunk Common Information Model Add-on Onboarding data to Splunk Enterprise Security
質問 # 46
Which of the following are examples of sources for events in the endpoint security domain dashboards?
- A. Investigation final results status.
- B. REST API invocations.
- C. Workstations, notebooks, and point-of-sale systems.
- D. Lifecycle auditing of incidents, from assignment to resolution.
正解:C
解説:
Explanation
The endpoint security domain dashboards in Splunk Enterprise Security display endpoint data relating to malware infections, patch history, system configurations, and time synchronization information. The sources for events in the endpoint security domain dashboards are the devices that are considered endpoints in your network, such as workstations, notebooks, and point-of-sale systems1. References = 1: Introduction to the dashboards available in Splunk Enterprise Security - Endpoint domain dashboards.
質問 # 47
Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?
- A. Indexes might be processing.
- B. Indexes have different settings.
- C. Indexes might crash.
- D. Indexes might not be reachable.
正解:C
解説:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf
質問 # 48
When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?
- A. indexes.conf, props.conf, transforms.conf
- B. inputs.conf, props.conf, transforms.conf
- C. web.conf, props.conf, transforms.conf
- D. eventtypes.conf, indexes.conf, tags.conf
正解:A
解説:
Explanation
According to the Splunk Enterprise Security documentation, when using the Distributed Configuration Management tool to create the Splunk_TA_ForIndexers package, you can include the following three files:
indexes.conf: This file defines the indexes that are used by Splunk Enterprise Security, such as main, summary, and notable. It also specifies the index settings, such as retention policy, replication factor, and search factor. See indexes.conf for more details.
props.conf: This file defines the properties of the data sources that are ingested by Splunk Enterprise Security, such as sourcetype, timestamp, line breaking, and field extraction. It also specifies the data model mappings, tags, and event types for the data sources. See props.conf for more details.
transforms.conf: This file defines the transformations that are applied to the data sources that are ingested by Splunk Enterprise Security, such as lookup definitions, field aliases, field formats, and calculated fields. It also specifies the regex patterns, delimiters, and formats for the transformations.
See transforms.conf for more details.
Therefore, the correct answer is A. indexes.conf, props.conf, transforms.conf. References = indexes.conf props.conf transforms.conf Assigning Role Based Permissions in Splunk Enterprise Security
質問 # 49
Which of the following is a Web Intelligence dashboard?
- A. Endpoint Center
- B. Network Center
- C. HTTP Category Analysis
- D. stream :http Protocol dashboard
正解:C
質問 # 50
Which of the following ES features would a security analyst use while investigating a network anomaly notable?
- A. Key indicator search.
- B. Correlation editor.
- C. Protocol intelligence dashboard.
- D. Threat download dashboard.
正解:C
質問 # 51
What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?
- A. ess_reviewer
- B. ess_admin
- C. ess_analyst
- D. ess_user
正解:B
解説:
Reference:
https://docs.splunk.com/Documentation/ES/6.1.0/User/Triagenotableevents
質問 # 52
Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?
- A. Indexes might be processing.
- B. Indexes have different settings.
- C. Indexes might crash.
- D. Indexes might not be reachable.
正解:C
質問 # 53
A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?
- A. Add a new search head and install ES on it.
- B. Install ES on the existing search head.
- C. Delete the non-CIM-compliant apps from the search head, then install ES.
- D. Increase the number of CPUs and amount of memory on the search head, then install ES.
正解:A
解説:
Explanation/Reference: https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf
質問 # 54
Which of the following is an adaptive action that is configured by default for ES?
- A. Create new correlation search
- B. Create new asset
- C. Create investigation
- D. Create notable event
正解:D
解説:
Explanation
According to the Splunk Enterprise Security documentation, the Create Notable Event adaptive response action is one of the included adaptive response actions that is configured by default for ES. This action allows you to create a notable event from the results of a correlation search or from the details of another notable event. You can customize the title, description, urgency, owner, and other fields of the notable event. The Create Notable Event action is useful for creating alerts or tasks based on specific conditions or criteria.
Therefore, the correct answer is A. Create notable event. References = Create Notable Event.
質問 # 55
When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?
- A. $fieldname$
- B. "fieldname"
- C. %fieldname%
- D. _fieldname_
正解:A
解説:
Explanation
When creating custom correlation searches, you can use the fieldname format to embed field values in the title, description, and drill-down fields of a notable event. This allows you to customize the notable event with dynamic information from the search results. For example, you can use src to include the source IP address of the event, or user to include the user name of the event1. References = 1: Create a correlation search - Splunk Documentation - Define the notable event.
質問 # 56
A newly built custom dashboard needs to be available to a team of security analysts In ES. How is It possible to Integrate the new dashboard?
- A. Add the dashboard to a custom add-in app and install it to ES using the Content Manager.
- B. Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu.
- C. Create a new role Inherited from es_analyst, make the dashboard permissions read-only, and make this dashboard the default view for the new role.
- D. Add links on the ES home page to the new dashboard.
正解:B
質問 # 57
Following the Installation of ES, an admin configured Leers with the ess_user role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to closed?
- A. From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.
- B. In Enterprise Security, give the ess_user role the own Notable Events permission.
- C. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.
- D. From Splunk Access Controls, select the ess_user role and remove the edit_notabie_events capability.
正解:A
質問 # 58
Which of the following are data models used by ES? (Choose all that apply)
- A. Anomalies
- B. Network Traffic
- C. Web
- D. Authentication
正解:B、C、D
質問 # 59
Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?
- A. VIP
- B. Criticality
- C. Priority
- D. Importance
正解:C
解説:
Explanation
The priority column in the asset or identity list is combined with the event severity to make a notable event's urgency in Splunk Enterprise Security. The urgency is a measure of how important it is to address a notable event, and it is calculated based on a matrix that maps the priority of the asset or identity involved in the event and the severity of the event. The urgency can be one of the following values: low, medium, high, or critical12. For example, by default, medium, high, and critical priority, combined with critical severity, will generate a critical urgency ranking3. References = 1: Incident Review - Splunk Documentation - Urgency. 2:
Configure notable event urgency - Splunk Documentation. 3: Solved: Splunk Enterprise Security: Is there a way to forc... - Splunk Community.
質問 # 60
What is the first step when preparing to install ES?
- A. Determine the data sources used.
- B. Determine the hardware required.
- C. Determine the size and scope of installation.
- D. Install ES.
正解:C
質問 # 61
Adaptive response action history is stored in which index?
- A. modular_action_history
- B. cim_modactions
- C. modular_history
- D. cim_adaptiveactions
正解:B
質問 # 62
Which settings indicated that the correlation search will be executed as new events are indexed?
- A. Always-On
- B. Continuous
- C. Scheduled
- D. Real-Time
正解:C
解説:
Explanation/Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Configurecorrelationsearches
質問 # 63
What does the risk framework add to an object (user, server or other type) to indicate increased risk?
- A. A numeric score.
- B. A risk profile.
- C. An urgency.
- D. An aggregation.
正解:A
解説:
Explanation
The risk framework in Splunk Enterprise Security adds a numeric score to an object (user, server or other type) to indicate increased risk. The numeric score is calculated by summing up the risk scores of all the risk modifiers that are associated with the object. A risk modifier is an event that modifies the risk of an object, such as a malware infection, a failed login, or a suspicious activity. The risk score of a risk modifier is determined by the correlation search that triggers the risk analysis response action, which can be customized or created by the user12. The numeric score of an object reflects its overall risk level and can be used to prioritize investigation and response actions3. References = 1: Risk Analysis framework in Splunk ES - Splunk Documentation - Terminology for the Risk Analysis framework. 2: Risk Analysis framework in Splunk ES - Splunk Documentation - Write a correlation search. 3: About risk-based alerting in Splunk Enterprise Security
- Splunk Documentation.
質問 # 64
......
合格突破受験者シミュレーションされたSPLK-3001試験問題集:https://www.jpntest.com/shiken/SPLK-3001-mondaishu