SPLK-3001 Splunk Enterprise Security Certified Admin Exam Questions and Answers

If the number of failed logins is greater than or equal to the threshold value, the search triggers a notable event. To make the search less sensitive, the threshold value can be increased, so that only more frequent failed logins will trigger a notable event. For example, the default threshold value is 4, which means that 4 or more failed logins within a 1-minute window will trigger a notable event. If the threshold value is changed to 10, then only 10 or more failed logins within a 1-minute window will trigger a notable event. References =

• Splunk Enterprise Security Admin Manual
• Detecting brute force access behavior

Splunk Enterprise Security knows the local customer domain names so it can detect internal vs. external emails by using the Corporate Web and Email Domain Lookups. These are lookup files that contain the list of domains that are considered internal or corporate for the organization. The Corporate Web and Email Domain Lookups are edited during the initial configuration of Splunk Enterprise Security, and they are used to enrich events with the tag=internal_web or tag=internal_email fields. These fields indicate whether the web or email activity is internal or external, and they are used by dashboards and correlation searches in Splunk Enterprise Security to monitor and analyze the web and email traffic. References =

• Corporate Web and Email Domain Lookups
• Configure web and email domains in Splunk Enterprise Security

Detecting Typosquatting, Phishing, and Corporate Espionage ... - Splunk

A key feature of a glass table is customization. A glass table is a dashboard that allows you to create dynamic and interactive visualizations of your security data. You can customize a glass table by adding static images and text, the results of ad-hoc searches, and security metrics that show the values of KPIs, service health scores, or notable events. You can also configure the appearance, behavior, and drilldown options of the glass table elements. A glass table is not rigid, but flexible and adaptable to your security needs. A glass table is not designed for interactive investigations, but for high-level monitoring and analysis. A glass table does not store data for later retrieval, but shows real-time data generated by KPIs and services. References =

• Create and manage glass tables in Splunk Enterprise Security
• Add security metrics to a glass table in Splunk Enterprise Security

The argument to the | tstats command that restricts the search to summarized data only is summariesonly=t. Summarized data is the data that is generated by the data model acceleration process, which creates summary indexes (TSIDX files) for the data models. By using summariesonly=t, the tstats command will only search the summary indexes, which can improve the performance and efficiency of the search. However, this also means that the search will not return any events that are not covered by the data model acceleration, such as events outside the acceleration time range or events that do not match the data model constraints12. References = 1: tstats - Splunk Documentation - summariesonly. 2: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list.

Fun (or Less Agony) with Splunk Tstats | Deductiv

 According to the Splunk Enterprise Security documentation, the recommended way to install ES is on a server with a new install of Splunk. This is because ES requires a dedicated search head that is not shared with other apps or users. Installing ES on a server with a new install of Splunk ensures that there are no conflicts or performance issues with other apps or configurations. If you want to install ES on an existing search head, you need to follow some additional steps, such as redirecting distributed search connections, purging KV Store, and backing up existing data. See Install Splunk Enterprise Security for more details. Therefore, the correct answer is C. On a server with a new install of Splunk. References = Install Splunk Enterprise Security.

According to the Splunk Enterprise Security documentation, the default schedule for accelerating ES data models is every 5 minutes. This means that the data model acceleration searches run every 5 minutes to summarize the newly indexed data and store the results in the tsidx files. The 5-minute schedule is recommended for most use cases, as it provides a balance between search performance and resource consumption. However, you can change the schedule of a data model acceleration search in the Content Management page of Splunk Enterprise Security, if needed. See Configure data models for Splunk Enterprise Security for more details. References = Configure data models for Splunk Enterprise Security.

To navigate to the ES graphical Navigation Bar editor, you need to click the Configure menu in the ES app bar, then select General, and then select Navigation. The Navigation page allows you to customize the navigation bar of the ES app by adding, removing, or reordering the menu items. You can also edit the labels, icons, and links of the menu items. You can use the graphical editor to drag and drop the menu items, or you can edit the navigation XML directly. For more information, see Customize the navigation bar in Splunk Enterprise Security1. The other options, A, C, and D, are not correct. There is no Navigation Menu option under the Configure menu. The Settings menu does not allow you to edit the navigation bar of the ES app. The Settings menu only allows you to edit the navigation menus of the Splunk platform, such as the app launcher and the user menu. References =

• Customize the navigation bar in Splunk Enterprise Security

Design navigation graphs | Android Developers1

Design navigation graphs | Android Developers

The data models that are used by Splunk Enterprise Security are the ones that are defined and provided by the Common Information Model add-on (Splunk_SA_CIM) and the Enterprise Security-specific data models. The Common Information Model add-on contains 12 data models that cover various domains of security data, such as Web, Authentication, Network Traffic, Change, DLP, Email, Endpoint, Intrusion Detection, Malware, Performance, Ticket Management, and Vulnerabilities1. The Enterprise Security-specific data models are Anomalies, Audit, Business Context, Data Loss Prevention, Identity Management, Risk, Threat Intelligence, and Web Proxy2. Therefore, the data models that are used by ES are Web, Authentication, Network Traffic, and Anomalies, among others. References = 1: Overview of the Splunk Common Information Model - Splunk Documentation - Data models included with the Splunk Common Information Model Add-on. 2: Data models in Splunk Enterprise Security - Splunk Documentation - Enterprise Security-specific data models.

According to the Splunk Enterprise Security documentation, one of the recommended pre-installation steps is to configure search head forwarding. Search head forwarding is a feature that allows the search head to forward its internal logs and metrics to an indexer or a heavy forwarder for indexing and analysis. This feature helps you monitor the health and performance of the search head and troubleshoot any issues that may arise. You can configure search head forwarding by editing the outputs.conf file on the search head and specifying the destination indexer or forwarder. See Configure search head forwarding for more details.

The other options are not recommended, because they are either unnecessary or harmful for the installation of ES. Disabling the default search app is not a good option, because it may cause some features of ES to not work properly, such as the Content Management page and the navigation editor. Downloading the latest version of KV Store from MongoDB.com is not a good option, because ES uses the built-in KV Store service that comes with Splunk Enterprise and does not require any external installation or configuration. Installing the latest Python distribution on the search head is not a good option, because it may cause compatibility issues with ES, which uses the Python version that comes with Splunk Enterprise. Therefore, the correct answer is B. Configure search head forwarding. References = Configure search head forwarding.

A technology add-on (TA) is a Splunk app that contains the configurations for ingesting and normalizing data from a specific data source or vendor. A TA can include sourcetype definitions, index-time and search-time field extractions, event types, tags, lookups, and other settings that help to map the data to the Splunk Common Information Model (CIM). The CIM is a set of predefined data models that provide a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. Therefore, the correct answer is D. Technology add-on. References =

• Technology add-ons overview
• Splunk Common Information Model Add-on
• Normalizing Enterprise Security data with technology add-ons

Onboarding data to Splunk Enterprise Security

Adaptive responses are actions that can be performed in response to notable events or other security incidents. Adaptive responses can be triggered by correlation searches and users on the incident review dashboard. Correlation searches are scheduled searches that run periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. Users can configure correlation searches to trigger adaptive responses automatically when a notable event is created. Users can also run adaptive responses manually from the incident review dashboard, which displays the notable events and their details. Users can select one or more notable events and choose an adaptive response action from the menu. Adaptive responses can help users to gather information, modify the environment, or take other actions to investigate and respond to security incidents. References =

• Adaptive Response Framework overview
• Run Adaptive Response actions from the Incident Review dashboard

According to the Splunk Lantern article on Managing data models in Enterprise Security, accelerated data requires approximately 3.4 times the daily data volume of additional storage space per year1. This means that if the daily input volume is 100 GB, the accelerated data model storage per year would be 100 GB x 3.4 = 340 GB. This estimate may vary depending on the data model configuration, the data retention policy, and the indexer cluster replication factor. References =

• Managing data models in Enterprise Security

The setting that is used in indexes.conf to specify alternate locations for accelerated storage is tstatsHomePath. Accelerated storage is the location where Splunk Enterprise stores the summary data for accelerated data models and reports. By default, acceleration storage is allocated in the same location as the index containing the raw events being accelerated. However, if you need to specify alternate locations for your accelerated storage, you can use the tstatsHomePath setting in indexes.conf. This setting allows you to define a different path for the summary data, which can improve the performance and efficiency of the data model acceleration. For example, you can set the tstatsHomePath to a faster disk or a different volume than the index homePath12. References = 1: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list. 2: indexes.conf - Splunk Documentation - tstatsHomePath.

According to the Splunk Enterprise Security documentation, an asset is a physical or logical device that is part of your network infrastructure, such as a server, a workstation, a router, or a firewall. An asset can have various attributes, such as IP address, MAC address, DNS name, NT host name, priority, business unit, owner, and others. Splunk Enterprise Security uses asset data to enrich and correlate security events and provide context for analysis. You can manage asset data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details.

The other options are not examples of ES assets, but they may be related to other types of data. A MAC address is an attribute of an asset, not an asset itself. A user name is an example of an identity, which is a person or group that is associated with an asset or an event. Splunk Enterprise Security uses identity data to enrich and correlate security events and provide context for analysis. You can manage identity data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details. People is a data model in the Splunk Common Information Model (CIM), which provides a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. The People data model contains the fields and tags for events that are related to people, such as user names, email addresses, phone numbers, and others. See People for more details. Therefore, the correct answer is C. Server. References =

• Manage assets and identities in Splunk Enterprise Security
• People

 To configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard, the administrator would take the following steps:

• On the Splunk Enterprise Security menu bar, click Configure > Content > Content Management.
• Filter the content by Type: Correlation Search and select the correlation search that you want to add the Nslookup action to.
• Click Edit and go to the Notable tab.
• Under Recommended Actions, click Add New Action and select Nslookup from the drop-down menu.
• Enter the required fields for the Nslookup action, such as the host field, the DNS server, and the output index.
• Click Save to save the changes to the correlation search.
• The Nslookup action will now appear as an option in the notable event’s action menu on the Incident Review dashboard. References =
• Set up Adaptive Response actions in Splunk Enterprise Security
• Included adaptive response actions with Splunk Enterprise Security

According to the Splunk Add-on Builder documentation, after managing source types and extracting fields, the key step that comes next in the Add-on Builder is to map to data models. Data models are predefined schemas that provide a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the Splunk Common Information Model (CIM) to enable cross-source analysis and correlation of security events. The Add-on Builder helps you to map your data fields to the CIM data models, such as Authentication, Change, Endpoint, and others. You can use the Data Model Mapper tool to select the data models that are relevant to your data source and map the fields accordingly. You can also validate the data model mappings and preview the results. See Map to data models for more details.

The other options are not the correct steps that come next in the Add-on Builder. Validate and package is the last step in the Add-on Builder, where you can check the quality and readiness of your add-on and create a package file for distribution. See Validate and package for more details. Configure data collection is the first step in the Add-on Builder, where you can specify the method and parameters for collecting data from your data source. See Configure data collection for more details. Create alert actions is an optional step in the Add-on Builder, where you can build custom alert actions or adaptive response actions for Splunk Enterprise Security. See [Create alert actions] for more details. Therefore, the correct answer is D. Map to data models. References =

• Map to data models
• Validate and package
• Configure data collection
• [Create alert actions]

Splunk Add-on Builder | Splunkbase3

Splunk Add-on Builder | Splunkbase

Recommended Actions show a list of Adaptive Responses to an analyst, which are possible actions that can be taken in response to a notable event. Adaptive Response Actions run automatically when a correlation search triggers a notable event, and can perform actions such as sending an email, adding a comment, or modifying a risk score. Recommended Actions are configured in the correlation search editor, while Adaptive Response Actions are configured in the alert actions manager. References =

• Included adaptive response actions with Splunk Enterprise Security
• Set up Adaptive Response actions in Splunk Enterprise Security
• Configure adaptive response actions for a correlation search in Splunk Enterprise Security

 A prefix of Splunk_TA_ would allow an add-on to be automatically imported into Splunk Enterprise Security. Splunk Enterprise Security uses a naming convention to identify and import add-ons that are compatible with the Common Information Model (CIM). Add-ons that start with Splunk_TA_ are automatically imported into Splunk Enterprise Security and mapped to the appropriate data models. Add-ons that do not follow this naming convention must be manually imported and configured in Splunk Enterprise Security1. A prefix of CIM_ or TECH_ does not indicate an add-on that can be automatically imported. A suffix of .spl is the file extension for Splunk apps and add-ons, but it does not guarantee that they are compatible with Splunk Enterprise Security. References =

• Import add-ons into Splunk Enterprise Security

By default, the CIM data models search all indexes in Splunk Enterprise Security. This means that any event that matches the tags and fields of a data model can be included in the data model, regardless of the index where it is stored. However, this can also affect the performance and efficiency of the data model searches, especially if there are many indexes that do not contain relevant data for the data model. Therefore, it is recommended to use the indexes allow list setting in the CIM add-on to constrain the indexes that each data model searches. The indexes allow list is a comma-separated list of indexes that you want to include in the data model search. You can specify index names or index macros. For example, you can set the indexes allow list for the Authentication data model to index=main, index=security, index=auth to limit the search to only those three indexes12. References = 1: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list. 2: Overview of the Splunk Common Information Model - Splunk Documentation - Why the CIM exists.

The Status Configuration window in Splunk Enterprise Security allows you to manage and customize the investigation statuses and the status transitions for notable events. You can specify which roles can change the status of a notable event from one status to another. For example, you can restrict the ess_user role from changing the status of Resolved notable events to Closed by removing the ess_user role from the status transitions for the Closed status. This way, only the roles that have the permission to change the status to Closed can close the Resolved notable events. References =

• Manage and customize investigation statuses in Splunk Enterprise Security

 The Remote Access panel within the User Activity dashboard is based on the Authentication data model, which contains information about authentication events from various sources, such as VPN, SSH, RDP, and others. The Authentication data model is accelerated by default, which means that it generates summary data to speed up searches. However, if the summary data is not up to date, the dashboard panel may not show the most recent data. This can happen if the data model acceleration search is skipped, disabled, or encountering errors12. To check the status of the data model acceleration, you can use the Data Model Audit dashboard in the Monitoring Console3 or the | datamodel command in the Search app4. References = 1: User Activity Monitoring - Splunk Documentation - Remote Access. 2: About data model acceleration - Splunk Documentation. 3: Use the Data Model Audit dashboard - Splunk Documentation. 4: datamodel - Splunk Documentation.

The ES application should be uploaded to the search head, which is the component that runs the ES user interface and executes the searches, alerts, and reports. The search head should be dedicated to ES and not run any other applications. The indexer is the component that indexes the data and stores it in buckets. The KV Store is a feature that stores and manages data as key-value pairs. The dedicated forwarder is a component that collects data from various sources and forwards it to the indexer. None of these components can run the ES application. References =

• [Install Splunk Enterprise Security]
• [Splunk Enterprise architecture]

 “10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against an asset in ES. An asset is a device on a network that can be identified by an IP address, MAC address, DNS name, or other attributes. ES uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to the data1. The asset fields that ES can match include ip, mac, nt_host, dns, and others2. An identity is a user account that can be identified by a username, email address, phone number, or other attributes. An identity is not the same as an asset, although an identity can be associated with an asset1. References =

• Add asset and identity data to Splunk Enterprise Security
• Asset and identity fields in Splunk Enterprise Security

The Add-On Builder is available from SplunkBase, which is the official source of apps and add-ons for the Splunk platform. SplunkBase allows you to browse, download, and install apps and add-ons that are compatible with your Splunk deployment. You can also upload and share your own apps and add-ons with the Splunk community. The Add-On Builder is a Splunk app that helps you build and validate technology add-ons for your Splunk Enterprise deployment. Technology add-ons are specialized add-ons that help to collect, transform, and normalize data feeds from specific sources in your environment. The Add-On Builder guides you through the process of creating an add-on, following best practices and naming conventions, maintaining CIM compliance, and testing and validating the add-on1. The Add-On Builder is not available from GitHub, www.splunk.com, or the ES installation package. References =

• Splunk Add-on Builder | Splunkbase

Splunk Add-on Builder | Splunkbase

Correlation searches can perform adaptive response actions when they find a pattern in the data. Adaptive response actions are automated or manual responses that you can use to modify your environment based on notable events. For example, you can block an IP address, add a user to a watchlist, or send an email notification. Configuring correlation adaptive responses is part of tuning correlation searches for a new ES installation, as it allows you to customize the actions that are triggered by the correlation searches. You can enable, disable, or modify the adaptive response actions for each correlation search, or create your own custom actions. References =

• Configure correlation searches in Splunk Enterprise Security
• Adaptive Response Framework overview

A correlation search is a scheduled search that runs periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. A correlation search can generate false positives, which are notable events that do not represent a real security incident or threat. False positives can create noise and reduce the efficiency and accuracy of the security analysis. To reduce false positives from a correlation search, you can modify the correlation schedule and sensitivity for your site. The correlation schedule determines how often the correlation search runs and over what time range. The sensitivity determines the threshold or limit for the search conditions to trigger a notable event. By adjusting the correlation schedule and sensitivity, you can fine-tune the correlation search to match your environment and data sources, and avoid generating notable events for normal or benign activities. You can modify the correlation schedule and sensitivity for a correlation search using the Content Management page in Splunk Enterprise Security. References =

• Modify the correlation schedule and sensitivity for your site
• Correlation search overview for Splunk Enterprise Security

Dealing with Security False Positives in Splunk (Enterprise Security ...2

Upping the Auditing Game for Correlation Searches Within ... - Splunk