Pass the Splunk Splunk Enterprise Security Certified Admin SPLK-3001 Questions and answers with CertsForce

According to the Splunk Lantern article on Managing data models in Enterprise Security, accelerated data requires approximately 3.4 times the daily data volume of additional storage space per year1. This means that if the daily input volume is 100 GB, the accelerated data model storage per year would be 100 GB x 3.4 = 340 GB. This estimate may vary depending on the data model configuration, the data retention policy, and the indexer cluster replication factor. References =

Managing data models in Enterprise Security

The endpoint security domain dashboards in Splunk Enterprise Security display endpoint data relating to malware infections, patch history, system configurations, and time synchronization information. The sources for events in the endpoint security domain dashboards are the devices that are considered endpoints in your network, such as workstations, notebooks, and point-of-sale systems1. References = 1: Introduction to the dashboards available in Splunk Enterprise Security - Endpoint domain dashboards.

 According to the Splunk Enterprise Security documentation, the option to create a Short ID for a notable event is located in the Event Details section of the notable event. The Event Details section shows the basic information about the notable event, such as title, description, urgency, owner, status, and others. It also provides a link to Create Short ID, which generates a 6-digit alphanumeric code that can be used to identify and share the notable event. The Short ID is appended to the URL of the Incident Review dashboard and can be used to filter the notable events by the Short ID field. See Manually create a notable event in Splunk Enterprise Security for more details. Therefore, the correct answer is B. The Event Details. References = Manually create a notable event in Splunk Enterprise Security.

 According to the Splunk Enterprise Security documentation, the bar across the bottom of any ES window is called the Investigation Bar. The Investigation Bar is a tool that helps you create and manage investigations in ES. An investigation is a collection of related notable events, comments, and artifacts that document a security incident or a threat hunting activity. You can use the Investigation Bar to do the following tasks:

Create a new investigation or open an existing one.

Add notable events, comments, and artifacts to an investigation.

Assign an owner and a status to an investigation.

Share an investigation with other users or roles.

Export an investigation as a PDF report.

The Investigation Bar also provides a link to the Investigation Workbench, which is a dashboard that shows a timeline and a summary of an investigation. Therefore, the correct answer is B. The Investigation Bar. References = Use the Investigation Bar.

The ES application should be uploaded to the search head, which is the component that runs the ES user interface and executes the searches, alerts, and reports. The search head should be dedicated to ES and not run any other applications. The indexer is the component that indexes the data and stores it in buckets. The KV Store is a feature that stores and manages data as key-value pairs. The dedicated forwarder is a component that collects data from various sources and forwards it to the indexer. None of these components can run the ES application. References =

[Install Splunk Enterprise Security]

[Splunk Enterprise architecture]

A technology add-on (TA) is a Splunk app that contains the configurations for ingesting and normalizing data from a specific data source or vendor. A TA can include sourcetype definitions, index-time and search-time field extractions, event types, tags, lookups, and other settings that help to map the data to the Splunk Common Information Model (CIM). The CIM is a set of predefined data models that provide a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. Therefore, the correct answer is D. Technology add-on. References =

Technology add-ons overview

Splunk Common Information Model Add-on

Normalizing Enterprise Security data with technology add-ons

Onboarding data to Splunk Enterprise Security

 To add a new column to the Notable Event table in the Incident Review dashboard, you need to follow these steps:

On the Splunk Enterprise Security menu bar, click Configure > Incident Management > Incident Review Settings.

On the Incident Review Settings page, click the Table Attributes tab.

On the Table Attributes tab, click Add New Attribute.

Enter the name of the attribute that you want to add as a column, such as src or dest. The name must match the field name in the notable event data model.

Enter a label for the attribute that will appear as the column header, such as Source or Destination.

Enter a description for the attribute that will appear as a tooltip when you hover over the column header.

Select the data type for the attribute, such as string or number.

Select the visibility for the attribute, such as visible or hidden.

Click Save to save the new attribute.

Refresh the Incident Review dashboard to see the new column in the Notable Event table. References =

Add custom columns to the Incident Review dashboard in Splunk Enterprise Security

A field alias is a knowledge object that maps a non-standard field name to a CIM field name. A field alias allows you to use the same search string to retrieve data from different data sources, even if the data sources use different field names for the same type of data. For example, if you have data sources that use different field names for the source IP address, such as src_ip, source_ip, or sip, you can create a field alias that maps these field names to the CIM field name src. This way, you can use src as a common field name in your searches and reports, and Splunk will automatically replace it with the appropriate field name for each data source. Field aliases are applied at search time, so they do not affect the original data or the index time field extractions. References =

Normalizing values to a common field name with the Common Information Model (CIM)

Field aliases

Onboarding data to Splunk Enterprise Security

 ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to the $SPLUNK_HOME/etc/shcluster/apps location on the cluster deployer instance. This is the directory where the deployer stores the configuration bundle that it distributes to the search head cluster members. The configuration bundle consists of apps and other configuration files that are not replicated by the cluster. The deployer does not use the $SPLUNK_HOME/etc/master-apps/ directory, which is used by the master node in an indexer cluster. The deployer does not use the $SPLUNK_HOME/etc/system/local/ directory, which is used to store local configuration files for the deployer instance itself. The deployer does not use the $SPLUNK_HOME/var/run/searchpeers/ directory, which is used by the search head to store information about the indexer cluster peers. References =

Use the deployer to distribute apps and configuration updates - Splunk Documentation

Install Splunk Enterprise Security in a search head cluster environment - Splunk Documentation