Pass the Splunk Enterprise Security Certified Admin SPLK-3001 Questions and answers with ExamsMirror

Data integrity control is a feature of Splunk Enterprise that helps you verify the integrity of data that it indexes. When you enable data integrity control for an index, Splunk Enterprise computes hashes on every slice of data using the SHA-256 algorithm. It then stores those hashes so that you can verify the integrity of your data later. This feature prevents data tampering and ensures that the data is trustworthy and reliable. Therefore, the correct answer is B. Data integrity control. References = Manage data integrity - Splunk Documentation.

The priority column in the asset or identity list is combined with the event severity to make a notable event’s urgency in Splunk Enterprise Security. The urgency is a measure of how important it is to address a notable event, and it is calculated based on a matrix that maps the priority of the asset or identity involved in the event and the severity of the event. The urgency can be one of the following values: low, medium, high, or critical12. For example, by default, medium, high, and critical priority, combined with critical severity, will generate a critical urgency ranking3. References = 1: Incident Review - Splunk Documentation - Urgency. 2: Configure notable event urgency - Splunk Documentation. 3: Solved: Splunk Enterprise Security: Is there a way to forc… - Splunk Community.

A correlation search is a scheduled search that runs periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. A correlation search can generate false positives, which are notable events that do not represent a real security incident or threat. False positives can create noise and reduce the efficiency and accuracy of the security analysis. To reduce false positives from a correlation search, you can modify the correlation schedule and sensitivity for your site. The correlation schedule determines how often the correlation search runs and over what time range. The sensitivity determines the threshold or limit for the search conditions to trigger a notable event. By adjusting the correlation schedule and sensitivity, you can fine-tune the correlation search to match your environment and data sources, and avoid generating notable events for normal or benign activities. You can modify the correlation schedule and sensitivity for a correlation search using the Content Management page in Splunk Enterprise Security. References =

Modify the correlation schedule and sensitivity for your site

Correlation search overview for Splunk Enterprise Security

Dealing with Security False Positives in Splunk (Enterprise Security ...2

Upping the Auditing Game for Correlation Searches Within ... - Splunk

The Splunk Add-on Builder helps you create technology add-ons, which are specialized add-ons that help to collect, transform, and normalize data feeds from specific sources in your environment. Technology add-ons are often referred to as TAs, and they start with the prefix TA-12. References = 1: Splunk Add-on Builder User Guide - About the Splunk Add-on Builder 2: Splunk Developer Portal - Develop Splunk Apps

 According to the Splunk Enterprise Security documentation, the option to create a Short ID for a notable event is located in the Event Details section of the notable event. The Event Details section shows the basic information about the notable event, such as title, description, urgency, owner, status, and others. It also provides a link to Create Short ID, which generates a 6-digit alphanumeric code that can be used to identify and share the notable event. The Short ID is appended to the URL of the Incident Review dashboard and can be used to filter the notable events by the Short ID field. See Manually create a notable event in Splunk Enterprise Security for more details. Therefore, the correct answer is B. The Event Details. References = Manually create a notable event in Splunk Enterprise Security.

 According to the Splunk Enterprise Security documentation, the Status Configuration window allows you to customize the status values and transitions for notable events. You can define which roles can change the status of a notable event from one value to another, and which roles can view the notable events with a specific status. To restrict the users with the ess_user role from being able to change the status of Resolved notable events to closed, you need to do the following steps:

On the Enterprise Security menu bar, select Configure > Incident Management > Status Configuration.

In the Status Configuration window, select the Resolved status from the list of values.

In the Status Transitions section, find the row for the closed status and click the Edit icon.

In the Edit Status Transition dialog box, remove the ess_user role from the Roles field and click Save.

Click Save Changes to apply the changes to the Status Configuration window.

This will prevent the users with the ess_user role from changing the status of any notable event from Resolved to closed. They will still be able to change the status of other notable events to closed, if they have the permission to do so. Therefore, the correct answer is A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status. References = Customize status values and transitions for notable events.

According to the Splunk Reference Architecture document1, for ES, Splunk recommends sizing based on 80 to 100 GB ingest per indexer per day. This means an ES deployment with 2 TB daily ingest will require up to 20 indexers. This recommendation is for a non-cloud (on-prem) ES deployment. For a cloud-based ES deployment, the recommended volume of indexing per day, per indexer, is 50 GB2. The other options, 300 GB and 500 MB, are not recommended by Splunk for ES deployments. References =

Splunk Reference Architecture

Performance reference for Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, threat gen searches are searches that generate synthetic events in the threat activity index to simulate security threats. Threat gen searches are useful for testing and validating the correlation searches, notable events, and adaptive response actions in Splunk Enterprise Security. Threat gen searches produce events in the threat activity index, which is a dedicated index for storing the synthetic events. The events in the threat activity index have the sourcetype of threatgen and the tag of threat. You can use the Threat Activity dashboard to view and analyze the events in the threat activity index. See Threat gen searches for more details.

The other options are not correct, because threat gen searches do not produce them. Threat gen searches do not produce threat intel in KV Store collections, which are key-value pairs of data that store and manage threat intelligence in Splunk Enterprise Security. Threat gen searches do not produce threat correlation searches, which are searches that correlate events with threat intelligence and generate notable events in Splunk Enterprise Security. Threat gen searches do not produce threat notables in the notable index, which are alerts or tasks that indicate potential security incidents or threats in Splunk Enterprise Security. Therefore, the correct answer is D. Events in the threat activity index. References = Threat gen searches.

Upping the Auditing Game for Correlation Searches Within ... - Splunk

Adaptive responses are actions that can be performed in response to notable events or other security incidents. Adaptive responses can be triggered by correlation searches and users on the incident review dashboard. Correlation searches are scheduled searches that run periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. Users can configure correlation searches to trigger adaptive responses automatically when a notable event is created. Users can also run adaptive responses manually from the incident review dashboard, which displays the notable events and their details. Users can select one or more notable events and choose an adaptive response action from the menu. Adaptive responses can help users to gather information, modify the environment, or take other actions to investigate and respond to security incidents. References =

Adaptive Response Framework overview

Run Adaptive Response actions from the Incident Review dashboard