Splunk 1-25 Flashcards
(25 cards)
What is the primary purpose of Splunk Enterprise Security (ES)?
A) Log aggregation and storage
B) Security information and event management (SIEM)
C) Network monitoring
D) Database management
B) Security information and event management (SIEM)
Which of the following is NOT a core component of Splunk ES?
A) Correlation searches
B) Notable events
C) Data models
D) Windows registry analysis
D) Windows registry analysis
What is the default retention period for notable events in Splunk ES?
A) 30 days
B) 90 days
C) 180 days
D) 365 days
C) 180 days
Which Splunk ES dashboard provides an overview of security posture?
A) Security Operations Center (SOC)
B) Incident Review
C) Security Posture
D) Asset Investigator
C) Security Posture
What is the minimum Splunk version required for ES 7.x?
A) 8.0
B) 8.1
C) 8.2
D) 9.0
C) 8.2
Which search head clustering feature is required for ES in a distributed environment?
A) Search head pooling
B) Search head clustering
C) Load balancing
D) Distributed search
B) Search head clustering
What is the primary function of the ES Glass Table?
A) Data visualization
B) Real-time monitoring dashboard
C) Asset tracking
D) Incident management
B) Real-time monitoring dashboard
Which of the following best describes a notable event?
A) Any security-related log entry
B) An event that requires investigation
C) A correlation search result that meets specific criteria
D) An error in the Splunk system
C) A correlation search result that meets specific criteria
What is the default urgency level for new notable events?
A) Critical
B) High
C) Medium
D) Low
C) Medium
Which ES app provides threat intelligence integration?
A) Splunk Common Information Model (CIM)
B) ES Content Updates (ESCU)
C) Threat Intelligence Management
D) Security Essentials
C) Threat Intelligence Management
What does CIM stand for in Splunk ES context?
A) Common Information Model
B) Centralized Information Management
C) Critical Incident Monitoring
D) Cyber Intelligence Matrix
A) Common Information Model
Which data model is used for authentication events?
A) Network Traffic
B) Authentication
C) Web
D) Change
B) Authentication
What is the primary benefit of using CIM-compliant field names?
A) Faster search performance
B) Standardization and interoperability
C) Reduced storage requirements
D) Enhanced security
B) Standardization and interoperability
Which command is used to accelerate data models?
A) | datamodel
B) | pivot
C) | tstats
D) | summary
C) | tstats
What is the recommended acceleration summary range for data models?
A) 1 day
B) 7 days
C) 30 days
D) 90 days
C) 30 days
Which field is common across all CIM data models?
A) src_ip
B) dest_ip
C) _time
D) user
C) _time
What is the purpose of calculated fields in data models?
A) To create new fields based on existing data
B) To filter unwanted events
C) To accelerate searches
D) To normalize timestamps
A) To create new fields based on existing data
Which data model category includes malware events?
A) Network
B) Endpoint
C) Web
D) Authentication
B) Endpoint
What is the default time range for data model acceleration?
A) Last 24 hours
B) Last 7 days
C) Last 30 days
D) All time
D) All time
Which command is used to validate CIM compliance?
A) | audit
B) | validate
C) | check
D) | eval
A) | audit
What is the primary purpose of asset lists in Splunk ES?
A) To track hardware inventory
B) To enrich events with contextual information
C) To monitor network traffic
D) To manage user accounts
B) To enrich events with contextual information
Which file format is commonly used to import asset data?
A) JSON
B) XML
C) CSV
D) TXT
C) CSV
What is the maximum number of assets supported in a single asset list?
A) 10,000
B) 50,000
C) 100,000
D) 1,000,000
C) 100,000
Which field is required for all asset entries?
A) ip
B) mac
C) hostname
D) owner
A) ip
