Free Practice Questions for Splunk SPLK-3001 Exam

The correct answer is B. Normalize data. The Add-on Builder can configure a new add-on to normalize data by mapping the data fields to the Common Information Model (CIM). The CIM provides a common language for describing data across domains and technologies. Normalizing data enables the data to be used by other Splunk apps, such as Splunk Enterprise Security and Splunk IT Service Intelligence. The Add-on Builder can also configure other features in a new add-on, such as collecting data from various sources, extracting fields from the data, creating alert actions and adaptive response actions, and testing and validating the add-on. However, the Add-on Builder cannot configure an add-on to expire data, summarize data, or translate data. These are not features of the Add-on Builder. References =

Splunk Add-on Builder

[Use the Common Information Model in Splunk Web]

 The correct way to add a new lookup through the ES app is to upload the lookup file using Configure > Content Management > Create New Content > Managed Lookup. This allows the user to create or select an existing lookup file and definition, specify the lookup type, label, and description, and enable editing of the lookup file. This also stores the lookup file at the application level, which makes it easier to edit and share. The other options are either incorrect or not recommended for ES. Uploading the lookup file in Settings > Lookups > Lookup table files does not create a lookup definition or a label and description for the lookup. Uploading the lookup file in Settings > Lookups > Lookup Definitions does not upload the lookup file itself, but only creates a definition for an existing file. Adding the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups requires manual editing of the file system and is not recommended for ES. References =

Create and manage lookups in Splunk Enterprise Security

 According to the Splunk Enterprise Security documentation, the way to make the Threat Activity dashboard the default landing page in ES is to use the Edit Navigation page and click the ‘Set this as the default view’ checkmark for Threat Activity. The Edit Navigation page allows you to customize the menu bar of ES and add links to custom dashboards, reports, or other views. You can also set the default view for each app context, which determines the landing page when you open the app. To set the Threat Activity dashboard as the default view, you need to do the following steps:

On the Enterprise Security menu bar, select Configure > General > Navigation.

In the Edit Navigation page, select the Enterprise Security app context from the drop-down menu.

In the Navigation XML section, find the line that contains the view name ‘threat_activity’.

Add the attribute default=“true” to the line and remove the same attribute from any other line in the same app context.

Click Save Changes to apply the changes to the Edit Navigation page.

This will make the Threat Activity dashboard the default landing page when you open the Enterprise Security app. See Customize the navigation bar for more details.

The other options are not the correct ways to make the Threat Activity dashboard the default landing page in ES. Dragging and dropping the Threat Activity view to the top of the page will not change the default view, but only the order of the menu items. Selecting Enterprise Security as the default application will not change the default view within the app, but only the app that opens when you log in to Splunk. Editing the Threat Activity view settings will not change the default view, but only the title, description, permissions, and schedule of the dashboard. Therefore, the correct answer is C. From the Edit Navigation page, click the 'Set this as the default view" checkmark for Threat Activity. References = Customize the navigation bar.

 According to the Splunk Enterprise Security documentation, the default ports that must be configured for Splunk Enterprise Security to function are the following:

SplunkWeb (8000): This port provides the socket for Splunk Web, the web interface for Splunk Enterprise Security. It allows you to access the dashboards, reports, alerts, and other features of Splunk Enterprise Security from your browser. You can change this port in the web.conf file or by using the splunk set web-port command.

Splunk Management (8089): This port is used to communicate with the splunkd daemon, the main process that runs Splunk Enterprise Security. Splunk Web talks to splunkd on this port, as does the command line interface, and any distributed connections from other servers. This port also provides the REST API endpoint for Splunk Enterprise Security. You can change this port in the server.conf file or by using the splunk set splunkd-port command.

KV Store (8191): This port is used by the KV Store, a MongoDB-based service that stores key-value pairs of data for Splunk Enterprise Security. The KV Store is used to store and manage data for various features of Splunk Enterprise Security, such as asset and identity correlation, threat intelligence, adaptive response, and investigations. You can change this port in the server.conf file.

Therefore, the correct answer is C. SplunkWeb (8000), Splunk Management (8089), KV Store (8191). References =

Change default values

KV Store overview

 You can export content from Splunk Enterprise Security as an app from the Content Management page. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. The Content Management page allows you to view, edit, enable, disable, and export content in Splunk Enterprise Security. You can also import content from other ES instances or from the Splunk Security Essentials app. References =

Export content from Splunk Enterprise Security as an app

Content Management

 To configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard, the administrator would take the following steps:

On the Splunk Enterprise Security menu bar, click Configure > Content > Content Management.

Filter the content by Type: Correlation Search and select the correlation search that you want to add the Nslookup action to.

Click Edit and go to the Notable tab.

Under Recommended Actions, click Add New Action and select Nslookup from the drop-down menu.

Enter the required fields for the Nslookup action, such as the host field, the DNS server, and the output index.

Click Save to save the changes to the correlation search.

The Nslookup action will now appear as an option in the notable event’s action menu on the Incident Review dashboard. References =

Set up Adaptive Response actions in Splunk Enterprise Security

Included adaptive response actions with Splunk Enterprise Security

The data models that are used by Splunk Enterprise Security are the ones that are defined and provided by the Common Information Model add-on (Splunk_SA_CIM) and the Enterprise Security-specific data models. The Common Information Model add-on contains 12 data models that cover various domains of security data, such as Web, Authentication, Network Traffic, Change, DLP, Email, Endpoint, Intrusion Detection, Malware, Performance, Ticket Management, and Vulnerabilities1. The Enterprise Security-specific data models are Anomalies, Audit, Business Context, Data Loss Prevention, Identity Management, Risk, Threat Intelligence, and Web Proxy2. Therefore, the data models that are used by ES are Web, Authentication, Network Traffic, and Anomalies, among others. References = 1: Overview of the Splunk Common Information Model - Splunk Documentation - Data models included with the Splunk Common Information Model Add-on. 2: Data models in Splunk Enterprise Security - Splunk Documentation - Enterprise Security-specific data models.

User and website watchlists are lists of users or websites that you want to monitor for suspicious or unwanted activity. You can configure user and website watchlists in Splunk Enterprise Security to generate notable events when a user on the watchlist accesses a website on the watchlist. The User Activity dashboard displays the notable events generated by the watchlists, as well as other user activity information such as top users, top websites, and top categories. Configuring user and website watchlists can help identify users accessing inappropriate web sites, as it allows you to specify which users and websites are of interest and alert you when they are accessed. References =

Configure user and website watchlists in Splunk Enterprise Security

User Activity dashboard in Splunk Enterprise Security

Correlation searches are scheduled searches that run in Splunk Enterprise Security to detect security incidents or other notable events. They can consume a lot of resources and affect the overall search performance. To improve the search performance, you can do the following actions:

Reduce the frequency (schedule) of lower-priority correlation searches. This will reduce the number of searches that run concurrently and free up some resources for other searches. You can edit the schedule of a correlation search in the Content Management page of Splunk Enterprise Security. See Edit a correlation search in Splunk Enterprise Security for more details.

Add notable event suppressions for correlation searches with high numbers of false positives. This will prevent the correlation search from generating notable events that are not relevant or actionable, and reduce the load on the Notable Event Framework. You can add suppression rules for a correlation search in the Content Management page of Splunk Enterprise Security. See Suppress notable events in Splunk Enterprise Security for more details.

The other two actions are not recommended, because they can have negative effects on the search performance or the security posture. Disabling indexed real-time search can cause some dashboards and panels to not display data correctly, and increasing the priority of all correlation searches can cause resource contention and degrade the performance of other searches. See Optimize Splunk Enterprise for peak performance and How search types affect Splunk Enterprise performance for more information. References =

Edit a correlation search in Splunk Enterprise Security

Suppress notable events in Splunk Enterprise Security

Optimize Splunk Enterprise for peak performance

How search types affect Splunk Enterprise performance