ES Admin Flashcards
(28 cards)
The Add-On Builder creates Splunk Apps that start with what?
A. DA-
B. SA-
C. TA-
D. App-
Which of the following are examples of sources for events in the endpoint security domain dashboards?
A. REST API invocations
B. Investigation final results status
C. Workstations, notebooks, & point-of-sale systems
D. Lifecycle auditing of incidents, from assignement to resolution
C. Workstations, notebooks, & point-of-sale systems
When creating custom correlation searches, what format is used to embed field values in the title, description, & drill-down fields of a notable event?
A. $fieldname$
B. ג€fieldnameג€
C. %fieldname%
D. _fieldname_
A. $fieldname$
ES Admin Slide 222 (Module 10: Creating Correlation Searches)
What feature of Enterprise Security downloads threat intelligence data from a web server?
A. Threat Service Manager
B. Threat Download Manager
C. Threat Intelligence Parser
D. Threat Intelligence Enforcement
B. Threat Download Manager
ES Admin Slide 278 (Module 12: Managing Threat Intelligence)
The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?
A. Web
B. Risk
C. Performance
D. Authentication
D. Authentication
https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/dashboards/data-model-reference-for-dashboards-in-splunk-enterprise-security
In order to include an eventtype in a data model node, what is the next step after extracting the correct fields?
A. Save the settings
B. Apply the correct tags
C. Run the correct search
D. Visit the CIM dashboard
C. Run the correct search
Run the correct search to ensure the data is accurately represented.
Apply the correct tags to categorize the events and ensure that they are processed correctly within the data model.
Applying tags helps identify and group events based on common characteristics, making it easier for the data model to classify and use these events in searches, dashboards, or correlation searches.
https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizeOSSECdata
What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?
A. ess_user
B. ess_admin
C. ess_analyst
D. ess_reviewer
C. ess_analyst
ES Admin Slide 21 (Module 1: Introduction to Enterprise Security)
Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?
A. VIP
B. Priority
C. Importance
D. Criticality
What does the risk framework add to an object (user, server or other type) to indicate increased risk?
A. An urgency
B. A risk profile
C. An aggregation
D. A numeric score
Which indexes are searched by default for CIM data models?
A. notable and default
B. summary and notable
C. _internal and summary
D. All indexes
D. All indexes
ES Admin Slide 158 (Module 7: Validating ES Data)
https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexes-searched-by-CIM-data-models/td-p/348455
Which setting is used in indexes.conf to specify alternate locations for accelerated storage?
A. thawedPath
B. tstatsHomePath
C. summaryHomePath
D. warmToColdScript
C. summaryHomePath
Which of the following is a way to test for a property normalized data model?
A. Use Audit -> Normalization Audit & check the Errors panel
B. Run a | datamodel search, compare results to the CIM documentation for the datamodel
C. Run a | loadjob search, look at tag values & compare them to known tags based on the encoding
D. Run a | datamodel search & compare the results to the list of data models in the ES normalization guide
B. Run a | datamodel search, compare results to the CIM documentation for the datamodel
ES Admin Slide 160 (Module 7: Validating ES Data)
https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime
Which argument to the | tstats command restricts the search to summarized data only?
A. summaries=t
B. summaries=all
C. summariesonly=t
D. summariesonly=all
C. summariesonly=t
ES Admin Slide 11 (Module 1: Introduction to Enterprise Security) or 147
When investigating, what is the best way to store a newly-found IOC?
A. Paste it into Notepad
B. Click the “Add IOC” button
C. Click the “Add Artifact” button
D. Add it ina a text note to the investigation
C. Click the “Add Artifact” button
ES Admin Slides 369-372 (Appendix: Using ES Investigations
How is it possible to navigate to the list of currently-enabled ES correlation searches?
A. Configure > Correlation Search > Select Status “Enabled”
B. Settings > Searches, Reports, and Alerts > Filter by Name of “Correlation”
C. Configure > Content Management > Select Type “Correlation” and Status “Enabled”
D. Settings > Searches, Reports, and Alerts > Select App of “SplunkEnterpriseSecuritySuite” and filter by “-Rule”
C. Configure > Content Management > Select Type “Correlation” and Status “Enabled”
ES Admin Slide 17 (Module 1: Introduction to Enterprise Security)
Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?
A. Indexers might crash
B. Indexers might be processing
C. Indexers might not be reachable
D. Indexers have different settings
D. Indexers have different settings
Which of the following are data models used by ES? (Choose all that apply)
A. Web
B. Anomalies
C. Authentication
D. Network Traffic
A. Web
C. Authentication
D. Network Traffic
ES Admin Slide 154 (Module 7: Validating ES Data)
At what point in the ES installation process should Splunk_TA_ForIndexers.spl be deployed to the indexers?
A. When adding apps to the deployment server
B. Splunk_TA_ForIndexers.spl is installed first
C. After installing ES on the search head(s) & running the distributed configuration management tool
D. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master & the splunk apply cluster-bundle command
C. After installing ES on the search head(s) & running the distributed configuration management tool
ES Admin Slide 105 (Module 5: Installation)
Which correlation search feature is used to throttle the creation of notable events?
A. Schedule priority
B. Window interval
C. Window duration
D. Schedule window
C. Window duration
ES Admin Slide 203 (Module 9: Tuning Correlation Searches)
Both `Recommended Actions` and `Adaptive Response Actions` use adaptive response. How do they differ?
A. Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded
B. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically
C. Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically
D. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run manually with analyst intervention
B. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically
ES Admin Slide 224 & 226 (Module 10: Creating Correlation Searches)
What does the Security Posture dashboard display?
A. Active investigations and their status
B. A high-level overview of notable events
C. Current threats being tracked by the SOC
D. A display of the status of security tools
B. A high-level overview of notable events
ES Admin Slides 28 (Module 2: Security Monitoring)
`10.22.63.159`, `websvr4`, and `00:26:08:18:CF:1D` would be matched against what in ES?
A. A user
B. A device
C. An asset
D. An identity
C. An asset
ES Admin Slides 235 (Module 11: Asset & Identity Management)
How should an administrator add a new lookup through the ES app?
A. Upload the lookup file in Settings > Lookups > Lookup Definitions
B. Upload the lookup file in Settings > Lookups > Lookup table files
C. Add the lookup file /etc/apps/SplunkEnterpriseSecuritySuite/lookups
D. Upload the lookup file using Configure > Content Management > Create New Content > Managed Lookup
D. Upload the lookup file using Configure > Content Management > Create New Content > Managed Lookup
An administrator is asked to configure an `Nslookup` adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an anlayst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?
A. Configure > Content Management > Type: Correlation Search > Notable > Nslookup
B. Configure > Type: Correlation Search > Notable > Recommended Actions > Nslookup
C. Configure > Content Management > Type: Correlation Search > Notable > Next Steps > Nslookup
D. Configure > Content Management > Type: Correlation Search > Notable > Recommended Actions > Nslookup
D. Configure > Content Management > Type: Correlation Search > Notable > Recommended Actions > Nslookup
ES Admin Slide 224 (Module 10: Creating Correlation Searches)
