究極のガイド準備SPLK-3001認証試験Splunk Enterprise Security Certified Adminは2022年更新 [Q44-Q68]

Share

究極のガイド準備SPLK-3001認証試験Splunk Enterprise Security Certified Adminは2022年更新

リアルSPLK-3001問題集でSplunk正確なアンサーは最新問題は2022年更新


Splunk SPLK-3001 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Notable Events Management
  • Investigations, Security Intelligence
  • Overview of Security Intel Tools
  • Forensics, Glass Tables, and Navigation Control
トピック 2
  • Overview of ES Features and Concepts
  • Monitoring and Investigation
  • Security Posture
  • Incident Review
トピック 3
  • Examine the Deployment Checklist
  • Understand Indexing Strategy for ES
  • Understand ES Data Models
  • Installation and Configuration
トピック 4
  • Use the Add-on Builder to Build a New add-on
  • Tuning Correlation Searches
  • Configure Correlation Search Scheduling and Sensitivity
トピック 5
  • Prepare a Splunk Environment for Installation
  • Download and Install ES on a Search Head
  • Understand ES Splunk User Accounts and Roles
トピック 6
  • Threat Intelligence Framework
  • Understand and Configure Threat Intelligence
  • Configure User Activity Analysis
トピック 7
  • Explore Forensics Dashboards
  • Examine Glass Tables
  • Configure Navigation and Dashboard Permissions
  • Identify Deployment Topologies
トピック 8
  • Post-Install Configuration Tasks
  • Validating ES Data
  • Plan ES Inputs
  • Configure Technology add-ons
  • Design a New add-on for Custom Data
トピック 9
  • Tune ES Correlation Searches
  • Creating Correlation Searches
  • Create a Custom Correlation Search
  • Configuring Adaptive Responses
  • Search Export
  • Import

 

質問 44
What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

  • A. 500 MB
  • B. 300 GB
  • C. 50 GB
  • D. 100 GB

正解: D

解説:
Reference:
https://docs.splunk.com/Documentation/ITSI/4.4.2/Install/Plan

 

質問 45
Which of the following are examples of sources for events in the endpoint security domain dashboards?

  • A. Investigation final results status.
  • B. REST API invocations.
  • C. Workstations, notebooks, and point-of-sale systems.
  • D. Lifecycle auditing of incidents, from assignment to resolution.

正解: D

 

質問 46
Following the Installation of ES, an admin configured Leers with the ss_uso r role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to closed?

  • A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.
  • B. From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.
  • C. In Enterprise Security, give the ess_user role the own Notable Events permission.
  • D. From Splunk Access Controls, select the ess_user role and remove the edit_notabie_events capability.

正解: B

 

質問 47
What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

  • A. Configure -> Content Management -> Type: Correlation Search
  • B. Configure -> Incident Management -> Notable Event Statuses
  • C. Configure -> Incident Management -> Incident Review Settings -> Event Management
  • D. Configure -> Incident Management -> Incident Review Settings -> Table Attributes

正解: D

 

質問 48
Which of the following is a way to test for a property normalized data model?

  • A. Run a | loadjob search, look at tag values and compare them to known tags based on the encoding.
  • B. Run a | datamodel search, compare results to the CIM documentation for the datamodel.
  • C. Run a | datamodel search and compare the results to the list of data models in the ES normalization guide.
  • D. Use Audit -> Normalization Audit and check the Errors panel.

正解: B

解説:
Reference:
https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

 

質問 49
What does the risk framework add to an object (user, server or other type) to indicate increased risk?

  • A. A numeric score.
  • B. A risk profile.
  • C. An aggregation.
  • D. An urgency.

正解: A

 

質問 50
A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives.
Which of the following options is most likely to help performance?

  • A. If indexed realtime search is enabled, disable it for the notable index.
  • B. Increase memory and CPUs on the search head(s) and add additional indexers.
  • C. Change the search heads to do local indexing of summary searches.
  • D. Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.

正解: B

 

質問 51
What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

  • A. 500 MB
  • B. 300 GB
  • C. 50 GB
  • D. 100 GB

正解: D

 

質問 52
Which of the following is a key feature of a glass table?

  • A. Customization.
  • B. Rigidity.
  • C. Strong data for later retrieval.
  • D. Interactive investigations.

正解: A

 

質問 53
ES needs to be installed on a search head with which of the following options?

  • A. Only default built-in and CIM-compliant apps.
  • B. All apps removed except for TA-*.
  • C. Any other apps installed.
  • D. No other apps.

正解: D

解説:
Explanation/Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallEnterpriseSecurity

 

質問 54
Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

  • A. VIP
  • B. Criticality
  • C. Importance
  • D. Priority

正解: D

解説:
Explanation/Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

 

質問 55
Both "Recommended Actions" and "Adaptive Response Actions" use adaptive response. How do they differ?

  • A. Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.
  • B. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.
  • C. Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.
  • D. Recommended Actions show a list of Adaptive Resposes to an analyst, Adaptive Response Actions run manually with analyst intervention.

正解: D

解説:
Reference:
https://docs.splunk.com/Documentation/ES/latest/Admin/Configureadaptiveresponse

 

質問 56
How should an administrator add a new lookup through the ES app?

  • A. Upload the lookup file in Settings -> Lookups -> Lookup table files
  • B. Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup
  • C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
  • D. Upload the lookup file in Settings -> Lookups -> Lookup Definitions

正解: B

解説:
Reference:
https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Createlookups

 

質問 57
Which component normalizes events?

  • A. Technology add-on.
  • B. ES application.
  • C. SA-CIM.
  • D. SA-Notable.

正解: C

解説:
Explanation/Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

 

質問 58
The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

  • A. Edit the search and modify the notable event status field to make the notable events less urgent.
  • B. Modify the urgency table for this correlation search and add a new severity level to make notable events from this search less urgent.
  • C. Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a more common match.
  • D. Edit the search, look for where or xswhere statements, and after the threshold value being compared to make it less common match.

正解: D

解説:
Explanation/Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

 

質問 59
The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?

  • A. Authentication
  • B. Web
  • C. Performance
  • D. Risk

正解: B

 

質問 60
Which of the following are the default ports that must be configured for Splunk Enterprise Security to function?

  • A. SplunkWeb (8000), Splunk Management (8089), KV Store (8191)
  • B. SplunkWeb (8068), Splunk Management (8089), KV Store (8000)
  • C. SplunkWeb (8390), Splunk Management (8323), KV Store (8672)
  • D. SplunkWeb (8043), Splunk Management (8088), KV Store (8191)

正解: A

 

質問 61
What kind of value is in the red box in this picture?

  • A. An IP address rating.
  • B. A risk score.
  • C. An event priority.
  • D. A source ranking.

正解: B

 

質問 62
A newly built custom dashboard needs to be available to a team of security analysts in ES.
How is it possible to integrate the new dashboard?

  • A. Add links on the ES home page to the new dashboard.
  • B. Set the dashboard permissions to allow access by es_analysts and use the navigation editor to add it to the menu.
  • C. Add the dashboard to a custom add-in app and install it to ES using the Content Manager.
  • D. Create a new role inherited from es_analyst, make the dashboard permissions read-only, and make this dashboard the default view for the new role.

正解: D

 

質問 63
Which of the following is an adaptive action that is configured by default for ES?

  • A. Create new correlation search
  • B. Create notable event
  • C. Create investigation
  • D. Create new asset

正解: A

 

質問 64
How is it possible to specify an alternate location for accelerated storage?

  • A. Use the tstatsHomePath setting in props, conf
  • B. Update the Home Path setting in indexes, conf
  • C. Configure storage optimization settings for the index.
  • D. Use the tstatsHomePath Setting in indexes, conf

正解: A

 

質問 65
An administrator is asked to configure an "Nslookup" adaptive response action, so that it appears as a selectable option in the notable event's action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

  • A. Configure -> Content Management -> Type: Correlation Search -> Notable -> Recommended Actions
    -> Nslookup
  • B. Configure -> Content Management -> Type: Correlation Search -> Notable -> Next Steps -> Nslookup
  • C. Configure -> Type: Correlation Search -> Notable -> Recommended Actions -> Nslookup
  • D. Configure -> Content Management -> Type: Correlation Search -> Notable -> Nslookup

正解: A

 

質問 66
What feature of Enterprise Security downloads threat intelligence data from a web server?

  • A. Threat Service Manager
  • B. Therat Intelligence Enforcement
  • C. Threat Intelligence Parser
  • D. Threat Download Manager

正解: D

解説:
Explanation
"The Threat Intelligence Framework provides a modular input (Threat Intelligence Downloads) that handles the majority of configurations typically needed for downloading intelligence files & data. To access this modular input, you simply need to create a stanza in your Inputs.conf file called "threatlist"."

 

質問 67
ES needs to be installed on a search head with which of the following options?

  • A. Only default built-in and CIM-compliant apps.
  • B. All apps removed except for TA-*.
  • C. Any other apps installed.
  • D. No other apps.

正解: D

 

質問 68
......

Splunk Enterprise Security Certified Admin SPLK-3001試験練習問題集:https://www.goshiken.com/Splunk/SPLK-3001-mondaishu.html

SPLK-3001プレミアム資料テストPDFで無料問題集お試しセット:https://drive.google.com/open?id=1zGO2_GqqrxR2xW98bESCYhBy2Zfkn0mA