NEW QUESTION 1
What feature of Enterprise Security downloads threat intelligence data from a web server?

• A. Threat Service Manager
• B. Threat Download Manager
• C. Threat Intelligence Parser
• D. Therat Intelligence Enforcement

Answer: B

NEW QUESTION 2
To observe what network services are in use in a network’s activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

• A. Intrusion Center
• B. Protocol Analysis
• C. User Intelligence
• D. Threat Intelligence

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/NetworkProtectionDomaindashboards

NEW QUESTION 3
Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

• A. thawedPath
• B. tstatsHomePath
• C. summaryHomePath
• D. warmToColdScript

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 4
A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

• A. Install ES on the existing search head.
• B. Add a new search head and install ES on it.
• C. Increase the number of CPUs and amount of memory on the search head, then install ES.
• D. Delete the non-CIM-compliant apps from the search head, then install ES.

Answer: B

Explanation:
Reference: https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

NEW QUESTION 5
Adaptive response action history is stored in which index?

• A. cim_modactions
• B. modular_history
• C. cim_adaptiveactions
• D. modular_action_history

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/Indexes

NEW QUESTION 6
An administrator is asked to configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

• A. Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup
• B. Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
• C. Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup
• D. Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

Answer: D

NEW QUESTION 7
The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

• A. Edit the search and modify the notable event status field to make the notable events less urgent.
• B. Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
• C. Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
• D. Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 8
At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

• A. When adding apps to the deployment server.
• B. Splunk_TA_ForIndexers.spl is installed first.
• C. After installing ES on the search head(s) and running the distributed configuration management tool.
• D. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallTechnologyAdd-ons

NEW QUESTION 9
Who can delete an investigation?

• A. ess_admin users only.
• B. The investigation owner only.
• C. The investigation owner and ess-admin.
• D. The investigation owner and collaborators.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

NEW QUESTION 10
What tools does the Risk Analysis dashboard provide?

• A. High risk threats.
• B. Notable event domains displayed by risk score.
• C. A display of the highest risk assets and identities.
• D. Key indicators showing the highest probability correlation searches in the environment.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/RiskAnalysis

NEW QUESTION 11
Where is it possible to export content, such as correlation searches, from ES?

• A. Content exporter
• B. Configure -> Content Management
• C. Export content dashboard
• D. Settings Menu -> ES -> Export

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Export

NEW QUESTION 12
Both “Recommended Actions” and “Adaptive Response Actions” use adaptive response. How do they differ?

• A. Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.
• B. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.
• C. Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.
• D. Recommended Actions show a list of Adaptive Resposes to an analyst, Adaptive Response Actions run manually with analyst intervention.

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/latest/Admin/Configureadaptiveresponse

NEW QUESTION 13
Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

• A. A prefix of CIM_
• B. A suffix of .spl
• C. A prefix of TECH_
• D. A prefix of Splunk_TA_

Answer: D

Explanation:
Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/planintegrationes/

NEW QUESTION 14
An administrator is provisioning one search head prior to installing ES. What are the reference minimum requirements for OS, CPU, and RAM for that machine?

• A. OS: 32 bit, RAM: 16 MB, CPU: 12 cores
• B. OS: 64 bit, RAM: 32 MB, CPU: 12 cores
• C. OS: 64 bit, RAM: 12 MB, CPU: 16 cores
• D. OS: 64 bit, RAM: 32 MB, CPU: 16 cores

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Capacity/Referencehardware

NEW QUESTION 15
What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

• A. 50 GB
• B. 100 GB
• C. 300 GB
• D. 500 MB

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.4.2/Install/Plan

NEW QUESTION 16
ES needs to be installed on a search head with which of the following options?

• A. No other apps.
• B. Any other apps installed.
• C. All apps removed except for TA-*.
• D. Only default built-in and CIM-compliant apps.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallEnterpriseSecurity

NEW QUESTION 17
When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

• A. Use new app names each time content is exported.
• B. Do not use the .spl extension when naming an export.
• C. Always include existing and new content for each export.
• D. Either use new app names or always include both existing and new content.

Answer: A

NEW QUESTION 18
What is the default schedule for accelerating ES Datamodels?

• A. 1 minute
• B. 5 minutes
• C. 15 minutes
• D. 1 hour

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 19
How is notable event urgency calculated?

• A. Asset priority and threat weight.
• B. Alert severity found by the correlation search.
• C. Asset or identity risk and severity found by the correlation search.
• D. Severity set by the correlation search and priority assigned to the associated asset or identity.

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 20
When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

• A. $fieldname$
• B. “fieldname”
• C. %fieldname%
• D. _fieldname_

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.4.2/Configure/Createcorrelationsearch

NEW QUESTION 21
How should an administrator add a new lookup through the ES app?

• A. Upload the lookup file in Settings -> Lookups -> Lookup Definitions
• B. Upload the lookup file in Settings -> Lookups -> Lookup table files
• C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
• D. Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Createlookups

NEW QUESTION 22
Which argument to the | tstats command restricts the search to summarized data only?

• A. summaries=t
• B. summaries=all
• C. summariesonly=t
• D. summariesonly=all

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 23
Which indexes are searched by default for CIM data models?

• A. notable and default
• B. summary and notable
• C. _internal and summary
• D. All indexes

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/600354/indexes-searched-by-cim-data-models.html

NEW QUESTION 24
......