NEW QUESTION 1
Which indexes are searched by default for CIM data models?

• A. notable and default
• B. summary and notable
• C. _internal and summary
• D. All indexes

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/600354/indexes-searched-by-cim-data-models.html

NEW QUESTION 2
Which of the following is a key feature of a glass table?

• A. Rigidity.
• B. Customization.
• C. Interactive investigations.
• D. Strong data for later retrieval.

Answer: B

NEW QUESTION 3
Who can delete an investigation?

• A. ess_admin users only.
• B. The investigation owner only.
• C. The investigation owner and ess-admin.
• D. The investigation owner and collaborators.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

NEW QUESTION 4
What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

• A. Configure -> Incident Management -> Notable Event Statuses
• B. Configure -> Content Management -> Type: Correlation Search
• C. Configure -> Incident Management -> Incident Review Settings -> Event Management
• D. Configure -> Incident Management -> Incident Review Settings -> Table Attributes

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Customizenotables

NEW QUESTION 5
“10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against what in ES?

• A. A user.
• B. A device.
• C. An asset.
• D. An identity.

Answer: B

NEW QUESTION 6
Which column in the Asset or Identity list is combined with event security to make a notable event’s urgency?

• A. VIP
• B. Priority
• C. Importance
• D. Criticality

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

NEW QUESTION 7
Which of the following actions would not reduce the number of false positives from a correlation search?

• A. Reducing the severity.
• B. Removing throttling fields.
• C. Increasing the throttling window.
• D. Increasing threshold sensitivity.

Answer: A

NEW QUESTION 8
Glass tables can display static images and text, the results of ad-hoc searches, and which of the following objects?

• A. Lookup searches.
• B. Summarized data.
• C. Security metrics.
• D. Metrics store searches.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/CreateGlassTable

NEW QUESTION 9
Where is it possible to export content, such as correlation searches, from ES?

• A. Content exporter
• B. Configure -> Content Management
• C. Export content dashboard
• D. Settings Menu -> ES -> Export

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Export

NEW QUESTION 10
Where is the Add-On Builder available from?

• A. GitHub
• B. SplunkBase
• C. www.splunk.com
• D. The ES installation package

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/Installation

NEW QUESTION 11
Both “Recommended Actions” and “Adaptive Response Actions” use adaptive response. How do they differ?

• A. Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.
• B. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.
• C. Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.
• D. Recommended Actions show a list of Adaptive Resposes to an analyst, Adaptive Response Actions run manually with analyst intervention.

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/latest/Admin/Configureadaptiveresponse

NEW QUESTION 12
Which of the following is a way to test for a property normalized data model?

• A. Use Audit -> Normalization Audit and check the Errors panel.
• B. Run a | datamodel search, compare results to the CIM documentation for the datamodel.
• C. Run a | loadjob search, look at tag values and compare them to known tags based on the encoding.
• D. Run a | datamodel search and compare the results to the list of data models in the ES normalization guide.

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

NEW QUESTION 13
What is the default schedule for accelerating ES Datamodels?

• A. 1 minute
• B. 5 minutes
• C. 15 minutes
• D. 1 hour

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

NEW QUESTION 14
What does the Security Posture dashboard display?

• A. Active investigations and their status.
• B. A high-level overview of notable events.
• C. Current threats being tracked by the SOC.
• D. A display of the status of security tools.

Answer: B

Explanation:
The Security Posture dashboard is designed to provide high-level insight into the notable events across all domains of your deployment, suitable for display in a Security Operations Center (SOC). This dashboard shows all events from the past 24 hours, along with the trends over the past 24 hours, and provides real-time event information and updates.
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/SecurityPosturedashboard

NEW QUESTION 15
When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

• A. Use new app names each time content is exported.
• B. Do not use the .spl extension when naming an export.
• C. Always include existing and new content for each export.
• D. Either use new app names or always include both existing and new content.

Answer: A

NEW QUESTION 16
ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?

• A. $SPLUNK_HOME/etc/master-apps/
• B. $SPLUNK_HOME/etc/system/local/
• C. $SPLUNK_HOME/etc/shcluster/apps
• D. $SPLUNK_HOME/var/run/searchpeers/

Answer: C

Explanation:
The upgraded contents of the staging instance will be migrated back to the deployer and deployed to the search head cluster members. On the staging instance, copy $SPLUNK_HOME/etc/apps to $SPLUNK_HOME/etc/shcluster/apps on the deployer. 1. On the deployer, remove any deprecated apps or add-ons in $SPLUNK_HOME/etc/shcluster/apps that were removed during the upgrade on staging. Confirm by reviewing the ES upgrade report generated on staging, or by examining the apps moved into $SPLUNK_HOME/etc/disabled-apps on staging

NEW QUESTION 17
What feature of Enterprise Security downloads threat intelligence data from a web server?

• A. Threat Service Manager
• B. Threat Download Manager
• C. Threat Intelligence Parser
• D. Therat Intelligence Enforcement

Answer: B

NEW QUESTION 18
To observe what network services are in use in a network’s activity overall, which of the following dashboards in Enterprise Security will contain the most relevant data?

• A. Intrusion Center
• B. Protocol Analysis
• C. User Intelligence
• D. Threat Intelligence

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/NetworkProtectionDomaindashboards

NEW QUESTION 19
Adaptive response action history is stored in which index?

• A. cim_modactions
• B. modular_history
• C. cim_adaptiveactions
• D. modular_action_history

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/Indexes

NEW QUESTION 20
Which settings indicated that the correlation search will be executed as new events are indexed?

• A. Always-On
• B. Real-Time
• C. Scheduled
• D. Continuous

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Configurecorrelationsearches

NEW QUESTION 21
......