Pass the Splunk Splunk Enterprise Security Certified Admin SPLK-3001 Questions and answers with CertsForce

A correlation search is a scheduled search that runs periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. A correlation search can generate false positives, which are notable events that do not represent a real security incident or threat. False positives can create noise and reduce the efficiency and accuracy of the security analysis. To reduce false positives from a correlation search, you can modify the correlation schedule and sensitivity for your site. The correlation schedule determines how often the correlation search runs and over what time range. The sensitivity determines the threshold or limit for the search conditions to trigger a notable event. By adjusting the correlation schedule and sensitivity, you can fine-tune the correlation search to match your environment and data sources, and avoid generating notable events for normal or benign activities. You can modify the correlation schedule and sensitivity for a correlation search using the Content Management page in Splunk Enterprise Security. References =

Modify the correlation schedule and sensitivity for your site

Correlation search overview for Splunk Enterprise Security

Dealing with Security False Positives in Splunk (Enterprise Security ...2

Upping the Auditing Game for Correlation Searches Within ... - Splunk

If the number of failed logins is greater than or equal to the threshold value, the search triggers a notable event. To make the search less sensitive, the threshold value can be increased, so that only more frequent failed logins will trigger a notable event. For example, the default threshold value is 4, which means that 4 or more failed logins within a 1-minute window will trigger a notable event. If the threshold value is changed to 10, then only 10 or more failed logins within a 1-minute window will trigger a notable event. References =

Splunk Enterprise Security Admin Manual

Detecting brute force access behavior

The tstatsHomePath setting in indexes.conf allows you to specify an alternate location for accelerated storage. Accelerated storage is where Splunk Enterprise stores the summary data for data models that are accelerated. The summary data is used to speed up searches and reports that use the data models. By default, the accelerated storage is located in the same volume as the index that contains the events referenced by the data model. However, you can use the tstatsHomePath setting to change the location of the accelerated storage to a different volume or path. This can help you optimize the performance and disk space usage of your Splunk Enterprise deployment. References =

Use the tstatsHomePath setting in indexes.conf if you need to specify alternate locations for your accelerated storage

tstatsHomePath setting in indexes.conf.spec

The Add-On Builder is available from SplunkBase, which is the official source of apps and add-ons for the Splunk platform. SplunkBase allows you to browse, download, and install apps and add-ons that are compatible with your Splunk deployment. You can also upload and share your own apps and add-ons with the Splunk community. The Add-On Builder is a Splunk app that helps you build and validate technology add-ons for your Splunk Enterprise deployment. Technology add-ons are specialized add-ons that help to collect, transform, and normalize data feeds from specific sources in your environment. The Add-On Builder guides you through the process of creating an add-on, following best practices and naming conventions, maintaining CIM compliance, and testing and validating the add-on1. The Add-On Builder is not available from GitHub, www.splunk.com, or the ES installation package. References =

Splunk Add-on Builder | Splunkbase

Splunk Add-on Builder | Splunkbase

According to the Splunk Enterprise Security documentation, when using the Distributed Configuration Management tool to create the Splunk_TA_ForIndexers package, you can include the following three files:

indexes.conf: This file defines the indexes that are used by Splunk Enterprise Security, such as main, summary, and notable. It also specifies the index settings, such as retention policy, replication factor, and search factor. See indexes.conf for more details.

props.conf: This file defines the properties of the data sources that are ingested by Splunk Enterprise Security, such as sourcetype, timestamp, line breaking, and field extraction. It also specifies the data model mappings, tags, and event types for the data sources. See props.conf for more details.

transforms.conf: This file defines the transformations that are applied to the data sources that are ingested by Splunk Enterprise Security, such as lookup definitions, field aliases, field formats, and calculated fields. It also specifies the regex patterns, delimiters, and formats for the transformations. See transforms.conf for more details.

Therefore, the correct answer is A. indexes.conf, props.conf, transforms.conf. References =

indexes.conf

props.conf

transforms.conf

Assigning Role Based Permissions in Splunk Enterprise Security

According to the Splunk Lantern article on Managing data models in Enterprise Security, accelerated data requires approximately 3.4 times the daily data volume of additional storage space per year1. This means that if the daily input volume is 100 GB, the accelerated data model storage per year would be 100 GB x 3.4 = 340 GB. This estimate may vary depending on the data model configuration, the data retention policy, and the indexer cluster replication factor. References =

Managing data models in Enterprise Security

 Notable event urgency is calculated by combining the severity set by the correlation search and the priority assigned to the associated asset or identity. The severity is a value that indicates the impact or importance of the event, such as low, medium, high, or critical. The priority is a value that indicates the significance or sensitivity of the asset or identity involved in the event, such as unknown, low, medium, high, or critical. The urgency is a value that indicates the level of attention or action required for the event, such as informational, low, medium, high, or critical. The urgency is determined by using the urgency_lookup, which maps the severity and priority values to the urgency values. For example, if the severity is high and the priority is medium, the urgency is high. If the severity is critical and the priority is critical, the urgency is critical. You can use the urgency field to prioritize the investigation of notable events in Splunk Enterprise Security1. References =

How urgency is assigned to notable events in Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, one of the recommended pre-installation steps is to configure search head forwarding. Search head forwarding is a feature that allows the search head to forward its internal logs and metrics to an indexer or a heavy forwarder for indexing and analysis. This feature helps you monitor the health and performance of the search head and troubleshoot any issues that may arise. You can configure search head forwarding by editing the outputs.conf file on the search head and specifying the destination indexer or forwarder. See Configure search head forwarding for more details.

The other options are not recommended, because they are either unnecessary or harmful for the installation of ES. Disabling the default search app is not a good option, because it may cause some features of ES to not work properly, such as the Content Management page and the navigation editor. Downloading the latest version of KV Store from MongoDB.com is not a good option, because ES uses the built-in KV Store service that comes with Splunk Enterprise and does not require any external installation or configuration. Installing the latest Python distribution on the search head is not a good option, because it may cause compatibility issues with ES, which uses the Python version that comes with Splunk Enterprise. Therefore, the correct answer is B. Configure search head forwarding. References = Configure search head forwarding.

The Status Configuration window in Splunk Enterprise Security allows you to manage and customize the investigation statuses and the status transitions for notable events. You can specify which roles can change the status of a notable event from one status to another. For example, you can restrict the ess_user role from changing the status of Resolved notable events to Closed by removing the ess_user role from the status transitions for the Closed status. This way, only the roles that have the permission to change the status to Closed can close the Resolved notable events. References =

Manage and customize investigation statuses in Splunk Enterprise Security