Splunk 26-50

Question 1

How often should asset lists be updated?

A) Daily
B) Weekly
C) Monthly
D) As needed based on environment changes

Answer 1

D) As needed based on environment changes

Question 2

Which ES feature automatically discovers assets on the network?

A) Asset Discovery
B) Network Discovery
C) Auto Asset Detection
D) Dynamic Asset Management

Answer 2

A) Asset Discovery

Question 3

What information can be included in an identity list?

A) Only usernames
B) Only email addresses
C) Usernames, email addresses, and additional attributes
D) Only employee IDs

Answer 3

C) Usernames, email addresses, and additional attributes

Question 4

Which priority level indicates the most critical assets?

A) Low
B) Medium
C) High
D) Critical

Answer 4

D) Critical

Question 5

What happens when an asset is marked as “bunit” in the asset list?

A) It’s assigned to a business unit
B) It’s marked for backup
C) It’s flagged as a backup unit
D) It’s designated as a business-critical unit

Answer 5

A) It’s assigned to a business unit

Question 6

What is the primary function of correlation searches in Splunk ES?

A) To generate reports
B) To create dashboards
C) To detect security threats and create notable events
D) To backup data

Answer 6

C) To detect security threats and create notable events

Question 7

What is the default search window for most correlation searches?

A) 1 hour
B) 4 hours
C) 24 hours
D) 1 week

Answer 7

C) 24 hours

Question 8

Which field determines the scheduling interval for correlation searches?

A) cron_schedule
B) search_interval
C) schedule
D) frequency

Answer 8

A) cron_schedule

Question 9

What is the purpose of the “earliest” and “latest” time modifiers in correlation searches?

A) To limit search results
B) To define the search time window
C) To set alert thresholds
D) To configure data retention

Answer 9

B) To define the search time window

Question 10

Which action is automatically performed when a correlation search triggers?

A) Send email notification
B) Create a notable event
C) Generate a report
D) Update asset information

Answer 10

B) Create a notable event

Question 11

What is the recommended approach for testing new correlation searches?

A) Deploy directly to production
B) Test with historical data first
C) Run only during maintenance windows
D) Test on a subset of data sources

Answer 11

B) Test with historical data first

Question 12

Which field in correlation searches controls the notable event severity?

A) priority
B) urgency
C) severity
D) importance

Answer 12

C) severity

Question 13

What is the purpose of suppression in correlation searches?

A) To reduce false positives
B) To increase search performance
C) To hide sensitive data
D) To compress search results

Answer 13

A) To reduce false positives

Question 14

Which time format is used in correlation search scheduling?

A) 24-hour format
B) Cron format
C) Unix timestamp
D) ISO 8601

Answer 14

B) Cron format

Question 15

What happens when a correlation search is disabled?

A) It continues to run but doesn’t create notable events
B) It stops running completely
C) It runs only during off-peak hours
D) It runs but creates low-priority notable events

Answer 15

B) It stops running completely

Question 16

What are the possible statuses for notable events?

A) New, Open, Closed
B) New, In Progress, Resolved, Closed
C) Active, Inactive, Archived
D) Pending, Investigating, Complete

Answer 16

B) New, In Progress, Resolved, Closed

Question 17

Which dashboard is primarily used for managing notable events?

A) Security Posture
B) Incident Review
C) Asset Investigator
D) Protocol Intelligence

Answer 17

B) Incident Review

Question 18

What is the purpose of notable event suppression?

A) To delete unwanted events
B) To temporarily hide events from view
C) To prevent creation of similar events for a specified period
D) To reduce event severity

Answer 18

C) To prevent creation of similar events for a specified period

Question 19

Which field contains the correlation search name that created the notable event?

A) search_name
B) rule_name
C) correlation_id
D) source_search

Answer 19

A) search_name

Question 20

What is the default owner of newly created notable events?

A) admin
B) unassigned
C) system
D) es_admin

Answer 20

B) unassigned

Question 21

Which action allows analysts to group related notable events?

A) Merge
B) Link
C) Correlate
D) Associate

Answer 21

A) Merge

Question 22

What information is captured when a notable event status is changed?

A) Only the new status
B) Status, timestamp, and user who made the change
C) Status and timestamp only
D) User and timestamp only

Answer 22

B) Status, timestamp, and user who made the change

Question 23

Which field determines the urgency of a notable event?

A) severity
B) priority
C) urgency
D) importance

Answer 23

C) urgency

Question 24

What is the purpose of notable event comments?

A) To provide investigation notes and context
B) To classify the event type
C) To set the event priority
D) To assign the event to a team

Answer 24

A) To provide investigation notes and context

Question 25

How long are notable event status changes retained by default? A) 30 days B) 90 days C) 6 months D) Same as the notable event retention period

Answer 25

D) Same as the notable event retention period