SPLK-3001 Online Practice Questions and Answers

What does the summariesonly=true option do for a correlation search?

A. Searches only accelerated data.

B. Forwards summary indexes to the indexing tier.

C. Uses a default summary time range.

D. Searches summary indexes only.

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration Management to distribute indexes.conf?

A. Indexes might crash.

B. Indexes might be processing.

C. Indexes might not be reachable.

D. Indexes have different settings.

Which columns in the Assets lookup are used to identify an asset in an event?

A. src, dvc, dest

B. cidr, port, netbios, saml

C. ip, mac, dns, nt_host

D. host, hostname, url, address

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

A. $fieldname$

B. "fieldname"

C. %fieldname%

D. _fieldname_

Who can delete an investigation?

A. ess_admin users only.

B. The investigation owner only.

C. The investigation owner and ess-admin.

D. The investigation owner and collaborators.

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

A. thawedPath

B. tstatsHomePath

C. summaryHomePath

D. warmToColdScript

Which feature contains scenarios that are useful during ES Implementation?

A. Use Case Library

B. Correlation Searches

C. Predictive Analytics

D. Adaptive Responses

A newly built custom dashboard needs to be available to a team of security analysts In ES. How is It possible to Integrate the new dashboard?

A. Add links on the ES home page to the new dashboard.

B. Create a new role Inherited from es_analyst, make the dashboard permissions read-only, and make this dashboard the default view for the new role.

C. Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu.

D. Add the dashboard to a custom add-in app and install it to ES using the Content Manager.

What tools does the Risk Analysis dashboard provide?

A. High risk threats.

B. Notable event domains displayed by risk score.

C. A display of the highest risk assets and identities.

D. Key indicators showing the highest probability correlation searches in the environment.

Which of the following is a way to test for a property normalized data model?

A. Use Audit -> Normalization Audit and check the Errors panel.

B. Run a | datamodel search, compare results to the CIM documentation for the datamodel.

C. Run a | loadjob search, look at tag values and compare them to known tags based on the encoding.

D. Run a | datamodel search and compare the results to the list of data models in the ES normalization guide.