Pass the Splunk Splunk Enterprise Security Certified Admin SPLK-3001 Questions and answers with CertsForce

Glass tables can display static images and text, the results of ad-hoc searches, and security metrics. Security metrics are visualizations that show the values of KPIs, service health scores, or notable events. You can add security metrics to a glass table by using the Security Metrics menu in the glass table editor. You can also configure the appearance, behavior, and drilldown options of the security metrics. Glass tables cannot display lookup searches, summarized data, or metrics store searches directly, although you can use these types of searches as data sources for ad-hoc searches and then display the results on a glass table. References =

Add security metrics to a glass table in Splunk Enterprise Security

Create and manage glass tables in Splunk Enterprise Security

A correlation search is a scheduled search that runs periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. A correlation search can generate false positives, which are notable events that do not represent a real security incident or threat. False positives can create noise and reduce the efficiency and accuracy of the security analysis. To reduce false positives from a correlation search, you can modify the correlation schedule and sensitivity for your site. The correlation schedule determines how often the correlation search runs and over what time range. The sensitivity determines the threshold or limit for the search conditions to trigger a notable event. By adjusting the correlation schedule and sensitivity, you can fine-tune the correlation search to match your environment and data sources, and avoid generating notable events for normal or benign activities. You can modify the correlation schedule and sensitivity for a correlation search using the Content Management page in Splunk Enterprise Security. References =

Modify the correlation schedule and sensitivity for your site

Correlation search overview for Splunk Enterprise Security

Dealing with Security False Positives in Splunk (Enterprise Security ...2

Upping the Auditing Game for Correlation Searches Within ... - Splunk

A network anomaly notable is a type of notable event that indicates a possible network attack or misconfiguration. It is generated by the Network - Anomaly Detection - Rule correlation search, which uses the Splunk Stream app to monitor network traffic and detect anomalies based on predefined thresholds. A security analyst who is investigating a network anomaly notable would use the Protocol intelligence dashboard to gain more insight into the network activity and protocols involved in the anomaly. The Protocol intelligence dashboard provides a summary of network traffic by protocol, such as TCP, UDP, ICMP, and others. It also shows the top sources, destinations, ports, and applications for each protocol. The dashboard allows the analyst to filter the data by time range, protocol, source, destination, port, and application. The dashboard also provides drilldown links to other dashboards, such as the Network Resolution dashboard and the Traffic Size Analysis dashboard, for further analysis. Therefore, the correct answer is D. Protocol intelligence dashboard. References =

Network - Anomaly Detection - Rule

Protocol intelligence dashboard

Splunk Stream app

The columns in the Assets lookup that are used to identify an asset in an event are ip, mac, dns, and nt_host. These columns contain the network identifiers of the assets, such as IP address, MAC address, DNS name, and NetBIOS name. Splunk Enterprise Security uses these columns to match the asset fields with the event fields, such as src, dest, dvc, host, and hostname. When a match is found, Splunk Enterprise Security enriches the event with the asset information, such as category, priority, business unit, and location. This allows you to search and analyze events based on the asset attributes and context. References =

Asset Lookup CSV file

Asset and identity correlation

Asset & Identity for Splunk Enterprise Security - Part 1 ...

 “10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against an asset in ES. An asset is a device on a network that can be identified by an IP address, MAC address, DNS name, or other attributes. ES uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to the data1. The asset fields that ES can match include ip, mac, nt_host, dns, and others2. An identity is a user account that can be identified by a username, email address, phone number, or other attributes. An identity is not the same as an asset, although an identity can be associated with an asset1. References =

Add asset and identity data to Splunk Enterprise Security

Asset and identity fields in Splunk Enterprise Security

After data is ingested, the data management step that is essential to ensure raw data can be accelerated by a data model and used by ES is normalization to the Splunk Common Information Model (CIM). The CIM is a standard and consistent way of naming and structuring the fields and tags for different types of data, such as network, web, email, authentication, and malware. The CIM allows you to use the same search queries and dashboards across different data sources, even if they have different formats or schemas. Normalizing data to the CIM involves mapping the raw data fields and tags to the CIM fields and tags using technology add-ons. Technology add-ons are Splunk apps that provide the necessary configurations and extractions for specific data sources. By normalizing data to the CIM, you can enable data model acceleration for the data models that use the CIM fields and tags. Data model acceleration is a feature that speeds up searches and reports that use data models by pre-computing and storing the results of the data model queries. Data model acceleration is required for most of the dashboards and correlation searches in Splunk Enterprise Security. References =

Data models in the Splunk Common Information Model

Data model acceleration

According to the Splunk Enterprise Security documentation, an asset is a physical or logical device that is part of your network infrastructure, such as a server, a workstation, a router, or a firewall. An asset can have various attributes, such as IP address, MAC address, DNS name, NT host name, priority, business unit, owner, and others. Splunk Enterprise Security uses asset data to enrich and correlate security events and provide context for analysis. You can manage asset data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details.

The other options are not examples of ES assets, but they may be related to other types of data. A MAC address is an attribute of an asset, not an asset itself. A user name is an example of an identity, which is a person or group that is associated with an asset or an event. Splunk Enterprise Security uses identity data to enrich and correlate security events and provide context for analysis. You can manage identity data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details. People is a data model in the Splunk Common Information Model (CIM), which provides a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. The People data model contains the fields and tags for events that are related to people, such as user names, email addresses, phone numbers, and others. See People for more details. Therefore, the correct answer is C. Server. References =

Manage assets and identities in Splunk Enterprise Security

People

According to the Splunk Enterprise Security documentation, the HTTP Category Analysis dashboard is one of the Web Intelligence dashboards that help you analyze web traffic in your network and identify notable HTTP categories, user agents, new domains, and long URLs. The dashboard shows the top HTTP categories by bytes, requests, and users, and allows you to filter the data by time range, category, user, and domain. The dashboard also provides drilldown links to other dashboards, such as the Web User Agent Analysis dashboard and the Web Domain Analysis dashboard, for further analysis. Therefore, the correct answer is C. HTTP Category Analysis. References = Web Intelligence dashboards.

 According to the Splunk Enterprise Security documentation, the Status Configuration window allows you to customize the status values and transitions for notable events. You can define which roles can change the status of a notable event from one value to another, and which roles can view the notable events with a specific status. To restrict the users with the ess_user role from being able to change the status of Resolved notable events to closed, you need to do the following steps:

On the Enterprise Security menu bar, select Configure > Incident Management > Status Configuration.

In the Status Configuration window, select the Resolved status from the list of values.

In the Status Transitions section, find the row for the closed status and click the Edit icon.

In the Edit Status Transition dialog box, remove the ess_user role from the Roles field and click Save.

Click Save Changes to apply the changes to the Status Configuration window.

This will prevent the users with the ess_user role from changing the status of any notable event from Resolved to closed. They will still be able to change the status of other notable events to closed, if they have the permission to do so. Therefore, the correct answer is A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status. References = Customize status values and transitions for notable events.

The argument to the | tstats command that restricts the search to summarized data only is summariesonly=t. Summarized data is the data that is generated by the data model acceleration process, which creates summary indexes (TSIDX files) for the data models. By using summariesonly=t, the tstats command will only search the summary indexes, which can improve the performance and efficiency of the search. However, this also means that the search will not return any events that are not covered by the data model acceleration, such as events outside the acceleration time range or events that do not match the data model constraints12. References = 1: tstats - Splunk Documentation - summariesonly. 2: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list.

Fun (or Less Agony) with Splunk Tstats | Deductiv