SPLK-3001 Exam Questions
100 real SPLK-3001 exam questions with expert-verified answers and explanations. Page 1 of 2.
- Question #1
How should an administrator add a new lookup through the ES app?
- Question #2
Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?
- Question #3
Which of the following is a key feature of a glass table?
- Question #4
An administrator is asked to configure an 'Nslookup' adaptive response action, so that it appears as a selectable option in the notable event's action menu when an analyst is worki...
- Question #5
What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?
- Question #6
To observe what network services are in use in a network's activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?
- Question #7
Adaptive response action history is stored in which index?
- Question #8
Which of the following actions would not reduce the number of false positives from a correlation search?
- Question #9
Where is the Add-On Builder available from?
- Question #10
Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?
- Question #11
ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?
- Question #12
How is notable event urgency calculated?
- Question #13
What kind of value is in the red box in this picture?
- Question #14
Where is it possible to export content, such as correlation searches, from ES?
- Question #15
Which of the following threat intelligence types can ES download? (Choose all that apply.)
- Question #16
A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to caref...
- Question #17
Enterprise Security's dashboards primarily pull data from what type of knowledge object?
- Question #18
To which of the following should the ES application be uploaded?
- Question #19
If a username does not match the 'identity' column in the identities list, which column is checked next?
- Question #20
Which of the following features can the Add-on Builder configure in a new add-on?
- Question #21
What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?
- Question #22
ES needs to be installed on a search head with which of the following options?
- Question #23
Which settings indicates that the correlation search will be executed as new events are indexed?
- Question #24
Where are attachments to investigations stored?
- Question #25
Which data model populates the panels on the Risk Analysis dashboard?
- Question #26
How is it possible to navigate to the ES graphical Navigation Bar editor?
- Question #27
An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?
- Question #28
What tools does the Risk Analysis dashboard provide?
- Question #29
When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?
- Question #30
Who can delete an investigation?
- Question #31
After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?
- Question #32
The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the corr...
- Question #33
Which of the following actions can improve overall search performance?
- Question #34
Which of the following ES features would a security analyst use while investigating a network anomaly notable?
- Question #35
Which component normalizes events?
- Question #36
An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?
- Question #37
What is the first step when preparing to install ES?
- Question #38
What is the default schedule for accelerating ES Datamodels?
- Question #39
Accelerated data requires approximately how many times the daily data volume of additional storage space per year?
- Question #40
When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?
- Question #41
What can be exported from ES using the Content Management page?
- Question #42
Where should an ES search head be installed?
- Question #43
Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events. How would the admin restrict these users from being able to...
- Question #44
Which of the following actions may be necessary before installing ES?
- Question #45
A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the sched...
- Question #46
What is the bar across the bottom of any ES window?
- Question #47
Which two fields combine to create the Urgency of a notable event?
- Question #48
What do threat gen searches produce?
- Question #49
Which of the following is part of tuning correlation searches for a new ES installation?
- Question #50
Which columns in the Assets lookup are used to identify an asset in an event?