Deck 6: Splunk IT Service Intelligence Certified Admin

A) Asset priority and threat weight.
B) Alert severity found by the correlation search.
C) Asset or identity risk and severity found by the correlation search.
D) Severity set by the correlation search and priority assigned to the associated asset or identity.

A) Threat Service Manager
B) Threat Download Manager
C) Threat Intelligence Parser
D) Threat Intelligence Enforcement

A) Text
B) STIX/TAXII
C) VulnScanSPL
D) SplunkEnterpriseThreatGenerator

A) $fieldname$
B) "fieldname"
C) %fieldname%
D) _fieldname_

A) Web
B) Anomalies
C) Authentication
D) Network Traffic

A) VIP
B) Priority
C) Importance
D) Criticality

A) When adding apps to the deployment server.
B) Splunk_TA_ForIndexers.spl is installed first. is installed first.
C) After installing ES on the search head(s) and running the distributed configuration management tool.
D) Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

A) Web
B) Risk
C) Performance
D) Authentication

A) GitHub
B) SplunkBase
C) www.splunk.com
D) The ES installation package

A) Configure -> Incident Management -> Notable Event Statuses
B) Configure -> Content Management -> Type: Correlation Search
C) Configure -> Incident Management -> Incident Review Settings -> Event Management
D) Configure -> Incident Management -> Incident Review Settings -> Table Attributes

A) REST API invocations.
B) Investigation final results status.
C) Workstations, notebooks, and point-of-sale systems.
D) Lifecycle auditing of incidents, from assignment to resolution.

A) DA-
B) SA-
C) TA-
D) App-

A) A prefix of CIM_ A prefix of CIM_
B) A suffix of .spl A suffix of .spl
C) A prefix of TECH_ TECH_
D) A prefix of Splunk_TA_ Splunk_TA_

A) Save the settings.
B) Apply the correct tags.
C) Run the correct search.
D) Visit the CIM dashboard.

A) Rigidity.
B) Customization.
C) Interactive investigations.
D) Strong data for later retrieval.

A) summaries=t
B) summaries=all
C) summariesonly=t
D) summariesonly=all

A) notable and default notable and default
B) summary and notable summary
C) _internal and summary _internal
D) All indexes

A) thawedPath
B) tstatsHomePath
C) summaryHomePath
D) warmToColdScript

A) An urgency.
B) A risk profile.
C) An aggregation.
D) A numeric score.

A) Schedule priority.
B) Window interval.
C) Window duration.
D) Schedule windows.

A) Email.
B) Nickname
C) IP address.
D) Combination of Last Name, First Name.

A) No other apps.
B) Any other apps installed.
C) All apps removed except for TA-*.
D) Only default built-in and CIM-compliant apps.

A) Splunk_DS_ForIndexers.spl
B) Splunk_ES_ForIndexers.spl
C) Splunk_SA_ForIndexers.spl
D) Splunk_TA_ForIndexers.spl

A) Paste it into Notepad.
B) Click the "Add IOC" button.
C) Click the "Add Artifact" button.
D) Add it in a text note to the investigation.

A) Correlation editor.
B) Key indicator search.
C) Threat download dashboard.
D) Protocol intelligence dashboard.

A) KV Store
B) notable index notable index
C) attachments.csv lookup attachments.csv lookup
D) /etc/apps/SA-Investigations/default/ui/views/attachments

A) Upload the lookup file in Settings -> Lookups -> Lookup Definitions
B) Upload the lookup file in Settings -> Lookups -> Lookup table files
C) Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
D) Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

A) Install ES on the existing search head.
B) Add a new search head and install ES on it.
C) Increase the number of CPUs and amount of memory on the search head, then install ES.
D) Delete the non-CIM-compliant apps from the search head, then install ES.

A) Threat Service Manager
B) Threat Download Manager
C) Threat Intelligence Parser
D) Therat Intelligence Enforcement

A) OS: 32 bit, RAM: 16 MB, CPU: 12 cores
B) OS: 64 bit, RAM: 32 MB, CPU: 12 cores
C) OS: 64 bit, RAM: 12 MB, CPU: 16 cores
D) OS: 64 bit, RAM: 32 MB, CPU: 16 cores

A) Use new app names each time content is exported.
B) Do not use the .spl extension when naming an export. Do not use the extension when naming an export.
C) Always include existing and new content for each export.
D) Either use new app names or always include both existing and new content.

A) ess_admin users only.
B) The investigation owner only.
C) The investigation owner and ess-admin.
D) The investigation owner and collaborators.

A) 1 minute
B) 5 minutes
C) 15 minutes
D) 1 hour

A) Always-On
B) Real-Time
C) Scheduled
D) Continuous

A) Tstats
B) KV Store
C) Data models
D) Dynamic lookups

A) Index consistency.
B) Data integrity control.
C) Indexer acknowledgement.
D) Index access permissions.

A) Expire data.
B) Normalize data.
C) Summarize data.
D) Translate data.

A) Install ES.
B) Determine the data sources used.
C) Determine the hardware required.
D) Determine the size and scope of installation.

A) Configure -> Navigation Menu
B) Configure -> General -> Navigation
C) Settings -> User Interface -> Navigation -> Click on "Enterprise Security"
D) Settings -> User Interface -> Navigation Menus -> Click on "default" next to SplunkEnterpriseSecuritySuite

A) 50 GB
B) 100 GB
C) 300 GB
D) 500 MB

A) Field alias.
B) Search time extraction.
C) Tag.
D) Eventtype.

A) Add additional indexers.
B) Redirect distributed search connections.
C) Purge KV Store.
D) Add additional forwarders.

A) Edit the search and modify the notable event status field to make the notable events less urgent.
B) Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.
C) Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
D) Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.

A) Change the search heads to do local indexing of summary searches.
B) Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.
C) Increase memory and CPUs on the search head(s) and add additional indexers.
D) If indexed realtime search is enabled, disable it for the notable index.

A) Nothing, there are no additional steps for add-ons.
B) Configure the add-ons via the Content Management dashboard.
C) Disable the add-ons until they are ready to be used, then enable the add-ons.
D) Configure the add-ons according to their README or documentation.

A) Disable indexed real-time search.
B) Increase priority of all correlation searches.
C) Reduce the frequency (schedule) of lower-priority correlation searches.
D) Add notable event suppressions for correlation searches with high numbers of false positives.

A) Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup
B) Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
C) Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup
D) Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup

A) Reducing the severity.
B) Removing throttling fields.
C) Increasing the throttling window.
D) Increasing threshold sensitivity.

A) Indexers might crash.
B) Indexers might be processing.
C) Indexers might not be reachable.
D) Indexers have different settings.

A) Active investigations and their status.
B) A high-level overview of notable events.
C) Current threats being tracked by the SOC.
D) A display of the status of security tools.

A) A user.
B) A device.
C) An asset.
D) An identity.

A) 3.4
B) 5.7
C) 1.0
D) 2.5

A) Always-On
B) Real-Time
C) Scheduled
D) Continuous

A) ess_user
B) ess_admin
C) ess_analyst
D) ess_reviewer

A) Risk
B) Audit
C) Domain analysis
D) Threat intelligence

A) In Enterprise Security, give the ess_user role the Own Notable Events permission. In Enterprise Security, give the role the Own Notable Events permission.
B) From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status. From the Status Configuration window select the status. Remove from the status transitions for the status.
C) From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.
D) From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability. From Splunk Access Controls, select the role and remove the edit_notable_events capability.

A) Intrusion Center
B) Protocol Analysis
C) User Intelligence
D) Threat Intelligence

A) SA-CIM.
B) SA-Notable.
C) ES application.
D) Technology add-on.

A) Lookup searches.
B) Summarized data.
C) Security metrics.
D) Metrics store searches.

A) Priority and Severity.
B) Priority and Criticality.
C) Criticality and Severity.
D) Precedence and Time.

A) Threat correlation searches.
B) Threat intel in KV Store collections.
C) Events in the threat_activity index. Events in the threat_activity index.
D) Threat notables in the notable index. Threat notables in the notable

A) By correlation searches and users on the incident review dashboard.
B) By correlation searches and custom tech add-ons.
C) By correlation searches and users on the threat analysis dashboard.
D) By custom tech add-ons and users on the risk analysis dashboard.

A) Install the latest Python distribution on the search head.
B) Download the latest version of KV Store from MongoDB.com.
C) Configure search head forwarding.
D) Disable the default search app.

A) The Additional Fields.
B) The Event Details.
C) The Contributing Events.
D) The Description.

A) The Investigator Workbench.
B) The Investigation Bar.
C) The Compliance Bar.
D) The Analyst Bar.

A) Create new asset
B) Create notable event
C) Create investigation
D) Create new correlation search

A) Edit the Threat Activity view settings and checkmark the Default View option.
B) From the Edit Navigation page, click the "Set this as the default view" checkmark for Threat Activity.
C) From the Edit Navigation page, drag and drop the Threat Activity view to the top of the page.
D) From the Preferences menu for the user, select Enterprise Security as the default application.

A) Suppress notable events from that correlation search.
B) Disable acceleration for the correlation search to reduce storage requirements.
C) Modify the correlation schedule and sensitivity for your site.
D) Change the correlation search's default status and severity.

A) indexes.conf, props.conf, transforms.conf
B) web.conf, props.conf, transforms.conf
C) inputs.conf, props.conf, transforms.conf
D) eventtypes.conf, indexes.conf, tags.conf

A) Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu.
B) Add the dashboard to a custom add-in app and install it to ES using the Content Manager.
C) Add links on the ES home page to the new dashboard.
D) Create a new role inherited from es_analyst, make the dashboard permissions read-only, and make this dashboard the default view for the new role.

A) Searches only accelerated data.
B) Forwards summary indexes to the indexing tier.
C) Uses a default summary time range.
D) Searches summary indexes only.