SPLK-3001 Online Practice Questions and Answers

Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

A. VIP

B. Priority

C. Importance

D. Criticality

If a username does not match the `identity' column in the identities list, which column is checked next?

A. Email.

B. Nickname

C. IP address.

D. Combination of Last Name, First Name.

Which columns in the Assets lookup are used to identify an asset in an event?

A. src, dvc, dest

B. cidr, port, netbios, saml

C. ip, mac, dns, nt_host

D. host, hostname, url, address

Which settings indicated that the correlation search will be executed as new events are indexed?

A. Always-On

B. Real-Time

C. Scheduled

D. Continuous

How is notable event urgency calculated?

A. Asset priority and threat weight.

B. Alert severity found by the correlation search.

C. Asset or identity risk and severity found by the correlation search.

D. Severity set by the correlation search and priority assigned to the associated asset or identity.

Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

A. Security domains.

B. Threat intel.

C. Assets.

D. Domains.

How should an administrator add a new lookup through the ES app?

A. Upload the lookup file in Settings -> Lookups -> Lookup Definitions

B. Upload the lookup file in Settings -> Lookups -> Lookup table files

C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups

D. Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Which component normalizes events?

A. SA-CIM.

B. SA-Notable.

C. ES application.

D. Technology add-on.

The option to create a Short ID for a notable event is located where?

A. The Additional Fields.

B. The Event Details.

C. The Contributing Events.

D. The Description.

When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

A. Use new app names each time content is exported.

B. Do not use the .spl extension when naming an export.

C. Always include existing and new content for each export.

D. Either use new app names or always include both existing and new content.