Free Practice Questions for Splunk SPLK-3001 Exam

 According to the Splunk Enterprise Security documentation, the bar across the bottom of any ES window is called the Investigation Bar. The Investigation Bar is a tool that helps you create and manage investigations in ES. An investigation is a collection of related notable events, comments, and artifacts that document a security incident or a threat hunting activity. You can use the Investigation Bar to do the following tasks:

Create a new investigation or open an existing one.

Add notable events, comments, and artifacts to an investigation.

Assign an owner and a status to an investigation.

Share an investigation with other users or roles.

Export an investigation as a PDF report.

The Investigation Bar also provides a link to the Investigation Workbench, which is a dashboard that shows a timeline and a summary of an investigation. Therefore, the correct answer is B. The Investigation Bar. References = Use the Investigation Bar.

After installing the add-ons necessary for normalizing data, you should configure the add-ons according to their README or documentation. The add-ons that are included in the Splunk Enterprise Security package are preconfigured and do not require additional steps. However, the add-ons that are downloaded separately from Splunkbase may require additional configuration steps, such as enabling inputs, setting up credentials, or modifying props and transforms. You should review the README or documentation for each add-on to determine the specific configuration requirements and follow the instructions accordingly. References =

Deploy add-ons to Splunk Enterprise Security

About installing Splunk add-ons

To observe what network services are in use in a network’s activity overall, the Protocol Analysis dashboard in Enterprise Security will contain the most relevant data. The Protocol Analysis dashboard shows the network traffic data by protocol, such as TCP, UDP, ICMP, and others. You can use this dashboard to identify the most active protocols, the most active hosts, the most active ports, and the most active connections in your network. You can also filter the dashboard by protocol, host, port, or connection to narrow down your analysis. The Protocol Analysis dashboard uses the data from the Network Resolution (stream) data model, which requires the Splunk Stream app to collect network packet data1. References =

Protocol Analysis dashboard - Splunk Documentation

 The Risk Analysis dashboard provides tools to analyze the risk scores and risk modifiers of various objects, such as systems, users, hashes, and network artifacts. The dashboard shows the risk score by object, the most active sources of risk, the risk score by category, the risk score over time, and the risk modifiers by object. The dashboard also allows you to create ad hoc risk entries, view the risk details of an object, and export the risk data as a CSV file. The other options, A, B, and D, are not correct. The Risk Analysis dashboard does not provide tools to show high risk threats, notable event domains, or key indicators of correlation searches. These are features of other dashboards in Splunk Enterprise Security, such as the Threat Activity dashboard, the Domain Analysis dashboard, and the Correlation Search Audit dashboard. References =

Analyze risk in Splunk Enterprise Security

Risk Analysis dashboard

The Content Management page in Splunk Enterprise Security allows you to export any content type that is listed on the page as an app. The content types include correlation searches, glass tables, dashboards, reports, saved searches, key indicators, workbench panels, and managed lookups. You can use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. You can also import content from other ES instances or from Splunkbase using the Content Management page. References =

Export content from Splunk Enterprise Security as an app

Import content to Splunk Enterprise Security as an app

The Auto Deployment feature of Distributed Configuration Management is a tool that allows you to automatically distribute configuration files, such as indexes.conf, to your Splunk platform instances. However, using this feature to distribute indexes.conf can pose a risk of having indexes with different settings across your instances. This can happen if you have manually edited the indexes.conf file on some of your instances, or if you have different versions of Splunk Enterprise Security installed on different instances. If the indexes have different settings, such as retention policies, storage paths, or bucket sizes, this can cause data inconsistency, search inefficiency, or data loss. Therefore, it is recommended to use the Manual Deployment feature of Distributed Configuration Management to review and validate the indexes.conf file before deploying it to your instances12. References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2: Distributed Configuration Management - Splunk Documentation - Manual Deployment.

According to the Splunk Enterprise Security documentation, when using the Distributed Configuration Management tool to create the Splunk_TA_ForIndexers package, you can include the following three files:

indexes.conf: This file defines the indexes that are used by Splunk Enterprise Security, such as main, summary, and notable. It also specifies the index settings, such as retention policy, replication factor, and search factor. See indexes.conf for more details.

props.conf: This file defines the properties of the data sources that are ingested by Splunk Enterprise Security, such as sourcetype, timestamp, line breaking, and field extraction. It also specifies the data model mappings, tags, and event types for the data sources. See props.conf for more details.

transforms.conf: This file defines the transformations that are applied to the data sources that are ingested by Splunk Enterprise Security, such as lookup definitions, field aliases, field formats, and calculated fields. It also specifies the regex patterns, delimiters, and formats for the transformations. See transforms.conf for more details.

Therefore, the correct answer is A. indexes.conf, props.conf, transforms.conf. References =

indexes.conf

props.conf

transforms.conf

Assigning Role Based Permissions in Splunk Enterprise Security

By default, the CIM data models search all indexes in Splunk Enterprise Security. This means that any event that matches the tags and fields of a data model can be included in the data model, regardless of the index where it is stored. However, this can also affect the performance and efficiency of the data model searches, especially if there are many indexes that do not contain relevant data for the data model. Therefore, it is recommended to use the indexes allow list setting in the CIM add-on to constrain the indexes that each data model searches. The indexes allow list is a comma-separated list of indexes that you want to include in the data model search. You can specify index names or index macros. For example, you can set the indexes allow list for the Authentication data model to index=main, index=security, index=auth to limit the search to only those three indexes12. References = 1: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list. 2: Overview of the Splunk Common Information Model - Splunk Documentation - Why the CIM exists.

According to the Splunk Reference Architecture document1, for ES, Splunk recommends sizing based on 80 to 100 GB ingest per indexer per day. This means an ES deployment with 2 TB daily ingest will require up to 20 indexers. This recommendation is for a non-cloud (on-prem) ES deployment. For a cloud-based ES deployment, the recommended volume of indexing per day, per indexer, is 50 GB2. The other options, 300 GB and 500 MB, are not recommended by Splunk for ES deployments. References =

Splunk Reference Architecture

Performance reference for Splunk Enterprise Security