SPLK-3001 Sample Questions Answers

Adaptive responses are actions that can be performed in response to notable events or other security incidents. Adaptive responses can be triggered by correlation searches and users on the incident review dashboard. Correlation searches are scheduled searches that run periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. Users can configure correlation searches to trigger adaptive responses automatically when a notable event is created. Users can also run adaptive responses manually from the incident review dashboard, which displays the notable events and their details. Users can select one or more notable events and choose an adaptive response action from the menu. Adaptive responses can help users to gather information, modify the environment, or take other actions to investigate and respond to security incidents. References =

• Adaptive Response Framework overview
• Run Adaptive Response actions from the Incident Review dashboard

The data models that are used by Splunk Enterprise Security are the ones that are defined and provided by the Common Information Model add-on (Splunk_SA_CIM) and the Enterprise Security-specific data models. The Common Information Model add-on contains 12 data models that cover various domains of security data, such as Web, Authentication, Network Traffic, Change, DLP, Email, Endpoint, Intrusion Detection, Malware, Performance, Ticket Management, and Vulnerabilities1. The Enterprise Security-specific data models are Anomalies, Audit, Business Context, Data Loss Prevention, Identity Management, Risk, Threat Intelligence, and Web Proxy2. Therefore, the data models that are used by ES are Web, Authentication, Network Traffic, and Anomalies, among others. References = 1: Overview of the Splunk Common Information Model - Splunk Documentation - Data models included with the Splunk Common Information Model Add-on. 2: Data models in Splunk Enterprise Security - Splunk Documentation - Enterprise Security-specific data models.

 According to the Splunk Enterprise Security documentation, the best way to integrate a newly built custom dashboard to a team of security analysts in ES is to set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu. This will ensure that the dashboard is visible and accessible to the users with the es_analyst role, which is the default role for security analysts in ES. The navigation editor allows you to customize the menu bar of ES and add links to custom dashboards, reports, or other views. See Customize Splunk Enterprise Security dashboards to fit your use case and Customize the navigation bar for more details.

The other options are not recommended, because they either do not integrate the dashboard properly or they create unnecessary complexity. Adding links on the ES home page to the new dashboard is not a good option, because it does not integrate the dashboard into the menu bar and it may clutter the home page. Creating a new role inherited from es_analyst, making the dashboard permissions read-only, and making this dashboard the default view for the new role is not a good option, because it creates a redundant role and it may confuse the users who expect to see the Security Posture dashboard as the default view. Adding the dashboard to a custom add-in app and installing it to ES using the Content Manager is not a good option, because it requires creating and maintaining a separate app and it may cause conflicts or performance issues with ES. Therefore, the correct answer is C. Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu. References =

• Customize the navigation bar
• Roles and capabilities in Splunk Enterprise Security
• Content Management
• Customize Splunk Enterprise Security dashboards to fit your use case

How to Create Custom Dashboards and Alerts to Achi ... - Splunk Community

 According to the Splunk Enterprise Security documentation, the default ports that must be configured for Splunk Enterprise Security to function are the following:

• SplunkWeb (8000): This port provides the socket for Splunk Web, the web interface for Splunk Enterprise Security. It allows you to access the dashboards, reports, alerts, and other features of Splunk Enterprise Security from your browser. You can change this port in the web.conf file or by using the splunk set web-port command.
• Splunk Management (8089): This port is used to communicate with the splunkd daemon, the main process that runs Splunk Enterprise Security. Splunk Web talks to splunkd on this port, as does the command line interface, and any distributed connections from other servers. This port also provides the REST API endpoint for Splunk Enterprise Security. You can change this port in the server.conf file or by using the splunk set splunkd-port command.
• KV Store (8191): This port is used by the KV Store, a MongoDB-based service that stores key-value pairs of data for Splunk Enterprise Security. The KV Store is used to store and manage data for various features of Splunk Enterprise Security, such as asset and identity correlation, threat intelligence, adaptive response, and investigations. You can change this port in the server.conf file.

Therefore, the correct answer is C. SplunkWeb (8000), Splunk Management (8089), KV Store (8191). References =

• Change default values
• KV Store overview

Data integrity control is a feature of Splunk Enterprise that helps you verify the integrity of data that it indexes. When you enable data integrity control for an index, Splunk Enterprise computes hashes on every slice of data using the SHA-256 algorithm. It then stores those hashes so that you can verify the integrity of your data later. This feature prevents data tampering and ensures that the data is trustworthy and reliable. Therefore, the correct answer is B. Data integrity control. References = Manage data integrity - Splunk Documentation.

According to the Splunk Enterprise Security documentation, threat gen searches are searches that generate synthetic events in the threat activity index to simulate security threats. Threat gen searches are useful for testing and validating the correlation searches, notable events, and adaptive response actions in Splunk Enterprise Security. Threat gen searches produce events in the threat activity index, which is a dedicated index for storing the synthetic events. The events in the threat activity index have the sourcetype of threatgen and the tag of threat. You can use the Threat Activity dashboard to view and analyze the events in the threat activity index. See Threat gen searches for more details.

The other options are not correct, because threat gen searches do not produce them. Threat gen searches do not produce threat intel in KV Store collections, which are key-value pairs of data that store and manage threat intelligence in Splunk Enterprise Security. Threat gen searches do not produce threat correlation searches, which are searches that correlate events with threat intelligence and generate notable events in Splunk Enterprise Security. Threat gen searches do not produce threat notables in the notable index, which are alerts or tasks that indicate potential security incidents or threats in Splunk Enterprise Security. Therefore, the correct answer is D. Events in the threat activity index. References = Threat gen searches.

Upping the Auditing Game for Correlation Searches Within ... - Splunk

 “10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against an asset in ES. An asset is a device on a network that can be identified by an IP address, MAC address, DNS name, or other attributes. ES uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to the data1. The asset fields that ES can match include ip, mac, nt_host, dns, and others2. An identity is a user account that can be identified by a username, email address, phone number, or other attributes. An identity is not the same as an asset, although an identity can be associated with an asset1. References =

• Add asset and identity data to Splunk Enterprise Security
• Asset and identity fields in Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, the first step when preparing to install ES is to determine the size and scope of installation. This involves estimating the amount of data that you plan to ingest, the number of users that will access ES, the number of search heads and indexers that you need, and the hardware requirements for each component. This step helps you plan your deployment architecture and ensure optimal performance and scalability of ES. Therefore, the correct answer is D. Determine the size and scope of installation. References = Deployment planning.

 To add a new column to the Notable Event table in the Incident Review dashboard, you need to follow these steps:

• On the Splunk Enterprise Security menu bar, click Configure > Incident Management > Incident Review Settings.
• On the Incident Review Settings page, click the Table Attributes tab.
• On the Table Attributes tab, click Add New Attribute.
• Enter the name of the attribute that you want to add as a column, such as src or dest. The name must match the field name in the notable event data model.
• Enter a label for the attribute that will appear as the column header, such as Source or Destination.
• Enter a description for the attribute that will appear as a tooltip when you hover over the column header.
• Select the data type for the attribute, such as string or number.
• Select the visibility for the attribute, such as visible or hidden.
• Click Save to save the new attribute.
• Refresh the Incident Review dashboard to see the new column in the Notable Event table. References =
• Add custom columns to the Incident Review dashboard in Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, the Distributed Configuration Management tool is used to update indexers in ES. This tool allows you to create and distribute a Splunk Enterprise Security app for indexers, which contains the necessary configurations for indexers to work with ES, such as index-time field extractions, tags, and event types. The app name is Splunk_ES_ForIndexers.spl and it is created by running the distributed_config_manager.py script on the search head. You can then deploy the app to the indexers using the deployment server or the cluster master. Therefore, the correct answer is B. Distributed Configuration Management. References = Distributed Configuration Management.

The summariesonly=true option is a macro that modifies a correlation search to search only accelerated data. Accelerated data is the summary data that is generated by the data model acceleration process. Data model acceleration is a feature that speeds up searches and reports that use data models by pre-computing and storing the results of the data model queries. By using the summariesonly=true option, a correlation search can run faster and more efficiently, as it does not need to scan the raw events or the index time field extractions. However, the summariesonly=true option also requires that the data model acceleration is enabled and complete for the data model that the correlation search uses. Otherwise, the correlation search may not return any results or may miss some events that are not accelerated. References =

• Use the summariesonly macro in Splunk Enterprise Security
• Data model acceleration

After data is ingested, the data management step that is essential to ensure raw data can be accelerated by a data model and used by ES is normalization to the Splunk Common Information Model (CIM). The CIM is a standard and consistent way of naming and structuring the fields and tags for different types of data, such as network, web, email, authentication, and malware. The CIM allows you to use the same search queries and dashboards across different data sources, even if they have different formats or schemas. Normalizing data to the CIM involves mapping the raw data fields and tags to the CIM fields and tags using technology add-ons. Technology add-ons are Splunk apps that provide the necessary configurations and extractions for specific data sources. By normalizing data to the CIM, you can enable data model acceleration for the data models that use the CIM fields and tags. Data model acceleration is a feature that speeds up searches and reports that use data models by pre-computing and storing the results of the data model queries. Data model acceleration is required for most of the dashboards and correlation searches in Splunk Enterprise Security. References =

• Data models in the Splunk Common Information Model
• Data model acceleration

By default, the CIM data models search all indexes in Splunk Enterprise Security. This means that any event that matches the tags and fields of a data model can be included in the data model, regardless of the index where it is stored. However, this can also affect the performance and efficiency of the data model searches, especially if there are many indexes that do not contain relevant data for the data model. Therefore, it is recommended to use the indexes allow list setting in the CIM add-on to constrain the indexes that each data model searches. The indexes allow list is a comma-separated list of indexes that you want to include in the data model search. You can specify index names or index macros. For example, you can set the indexes allow list for the Authentication data model to index=main, index=security, index=auth to limit the search to only those three indexes12. References = 1: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list. 2: Overview of the Splunk Common Information Model - Splunk Documentation - Why the CIM exists.

 The Risk Analysis dashboard provides tools to analyze the risk scores and risk modifiers of various objects, such as systems, users, hashes, and network artifacts. The dashboard shows the risk score by object, the most active sources of risk, the risk score by category, the risk score over time, and the risk modifiers by object. The dashboard also allows you to create ad hoc risk entries, view the risk details of an object, and export the risk data as a CSV file. The other options, A, B, and D, are not correct. The Risk Analysis dashboard does not provide tools to show high risk threats, notable event domains, or key indicators of correlation searches. These are features of other dashboards in Splunk Enterprise Security, such as the Threat Activity dashboard, the Domain Analysis dashboard, and the Correlation Search Audit dashboard. References =

• Analyze risk in Splunk Enterprise Security
• Risk Analysis dashboard

A technology add-on (TA) is a Splunk app that contains the configurations for ingesting and normalizing data from a specific data source or vendor. A TA can include sourcetype definitions, index-time and search-time field extractions, event types, tags, lookups, and other settings that help to map the data to the Splunk Common Information Model (CIM). The CIM is a set of predefined data models that provide a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. Therefore, the correct answer is D. Technology add-on. References =

• Technology add-ons overview
• Splunk Common Information Model Add-on
• Normalizing Enterprise Security data with technology add-ons

Onboarding data to Splunk Enterprise Security

After installing the add-ons necessary for normalizing data, you should configure the add-ons according to their README or documentation. The add-ons that are included in the Splunk Enterprise Security package are preconfigured and do not require additional steps. However, the add-ons that are downloaded separately from Splunkbase may require additional configuration steps, such as enabling inputs, setting up credentials, or modifying props and transforms. You should review the README or documentation for each add-on to determine the specific configuration requirements and follow the instructions accordingly. References =

• Deploy add-ons to Splunk Enterprise Security
• About installing Splunk add-ons

To navigate to the ES graphical Navigation Bar editor, you need to click the Configure menu in the ES app bar, then select General, and then select Navigation. The Navigation page allows you to customize the navigation bar of the ES app by adding, removing, or reordering the menu items. You can also edit the labels, icons, and links of the menu items. You can use the graphical editor to drag and drop the menu items, or you can edit the navigation XML directly. For more information, see Customize the navigation bar in Splunk Enterprise Security1. The other options, A, C, and D, are not correct. There is no Navigation Menu option under the Configure menu. The Settings menu does not allow you to edit the navigation bar of the ES app. The Settings menu only allows you to edit the navigation menus of the Splunk platform, such as the app launcher and the user menu. References =

• Customize the navigation bar in Splunk Enterprise Security

Design navigation graphs | Android Developers1

Design navigation graphs | Android Developers

The Add-On Builder is available from SplunkBase, which is the official source of apps and add-ons for the Splunk platform. SplunkBase allows you to browse, download, and install apps and add-ons that are compatible with your Splunk deployment. You can also upload and share your own apps and add-ons with the Splunk community. The Add-On Builder is a Splunk app that helps you build and validate technology add-ons for your Splunk Enterprise deployment. Technology add-ons are specialized add-ons that help to collect, transform, and normalize data feeds from specific sources in your environment. The Add-On Builder guides you through the process of creating an add-on, following best practices and naming conventions, maintaining CIM compliance, and testing and validating the add-on1. The Add-On Builder is not available from GitHub, www.splunk.com, or the ES installation package. References =

• Splunk Add-on Builder | Splunkbase

Splunk Add-on Builder | Splunkbase

 If a username does not match the ‘identity’ column in the identities list, Splunk Enterprise Security checks the ‘email’ column next. The ‘email’ column contains the email address associated with the identity. If the email address matches the username, Splunk Enterprise Security assigns the identity to the user. If the email address does not match, Splunk Enterprise Security checks the ‘nickname’ column next, followed by the ‘ip’ column, and finally the ‘last_name’ and ‘first_name’ columns. The order of the columns is determined by the identity_match setting in the identity_manager.conf file. References =

• Identity correlation
• identity_manager.conf

 To configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard, the administrator would take the following steps:

• On the Splunk Enterprise Security menu bar, click Configure > Content > Content Management.
• Filter the content by Type: Correlation Search and select the correlation search that you want to add the Nslookup action to.
• Click Edit and go to the Notable tab.
• Under Recommended Actions, click Add New Action and select Nslookup from the drop-down menu.
• Enter the required fields for the Nslookup action, such as the host field, the DNS server, and the output index.
• Click Save to save the changes to the correlation search.
• The Nslookup action will now appear as an option in the notable event’s action menu on the Incident Review dashboard. References =
• Set up Adaptive Response actions in Splunk Enterprise Security
• Included adaptive response actions with Splunk Enterprise Security

According to the Splunk Lantern article on Managing data models in Enterprise Security, accelerated data requires approximately 3.4 times the daily data volume of additional storage space per year1. This means that if the daily input volume is 100 GB, the accelerated data model storage per year would be 100 GB x 3.4 = 340 GB. This estimate may vary depending on the data model configuration, the data retention policy, and the indexer cluster replication factor. References =

• Managing data models in Enterprise Security

According to the Splunk Enterprise Security documentation, an asset is a physical or logical device that is part of your network infrastructure, such as a server, a workstation, a router, or a firewall. An asset can have various attributes, such as IP address, MAC address, DNS name, NT host name, priority, business unit, owner, and others. Splunk Enterprise Security uses asset data to enrich and correlate security events and provide context for analysis. You can manage asset data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details.

The other options are not examples of ES assets, but they may be related to other types of data. A MAC address is an attribute of an asset, not an asset itself. A user name is an example of an identity, which is a person or group that is associated with an asset or an event. Splunk Enterprise Security uses identity data to enrich and correlate security events and provide context for analysis. You can manage identity data using the Asset and Identity Management page in Splunk Enterprise Security. See Manage assets and identities in Splunk Enterprise Security for more details. People is a data model in the Splunk Common Information Model (CIM), which provides a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. The People data model contains the fields and tags for events that are related to people, such as user names, email addresses, phone numbers, and others. See People for more details. Therefore, the correct answer is C. Server. References =

• Manage assets and identities in Splunk Enterprise Security
• People

The Security Posture dashboard displays a high-level overview of notable events across all domains of your deployment, suitable for display in a Security Operations Center (SOC). This dashboard shows all events from the past 24 hours, along with the trends over the past 24 hours, and provides real-time event information and updates. The dashboard consists of several panels that show key indicators, notable events by urgency, notable events over time, top notable events, and top notable event sources1. References =

• Security Posture dashboard - Splunk Documentation

The ES application should be uploaded to the search head, which is the component that runs the ES user interface and executes the searches, alerts, and reports. The search head should be dedicated to ES and not run any other applications. The indexer is the component that indexes the data and stores it in buckets. The KV Store is a feature that stores and manages data as key-value pairs. The dedicated forwarder is a component that collects data from various sources and forwards it to the indexer. None of these components can run the ES application. References =

• [Install Splunk Enterprise Security]
• [Splunk Enterprise architecture]

The tstatsHomePath setting in indexes.conf allows you to specify an alternate location for accelerated storage. Accelerated storage is where Splunk Enterprise stores the summary data for data models that are accelerated. The summary data is used to speed up searches and reports that use the data models. By default, the accelerated storage is located in the same volume as the index that contains the events referenced by the data model. However, you can use the tstatsHomePath setting to change the location of the accelerated storage to a different volume or path. This can help you optimize the performance and disk space usage of your Splunk Enterprise deployment. References =

• Use the tstatsHomePath setting in indexes.conf if you need to specify alternate locations for your accelerated storage
• tstatsHomePath setting in indexes.conf.spec

Detailed information about identities, such as user names, email addresses, phone numbers, and roles, is stored in the Identity Lookup CSV file in Splunk Enterprise Security. The Identity Lookup CSV file is a lookup file that contains the identity data that is collected and extracted from various data sources, such as Active Directory, LDAP, or custom identity lists. The Identity Lookup CSV file is used to enrich events with identity information and generate notable events based on identity correlation searches. You can view and manage the Identity Lookup CSV file using the Asset and Identity Management page in Splunk Enterprise Security. References =

• Manage assets and identities in Splunk Enterprise Security
• Identity Lookup CSV file