Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Splunk Enterprise Security Certified Admin Sample Questions

  1. Home
  3. Splunk Enterprise Security Certified Admin Sample Questions
Splunk Enterprise Security Certified Admin Sample Questions
Question 1 – What is the start of the Splunk Apps created with Add-On Builder?
  • A. DA-
  • B. SA-
  • C. TA-
  • D. App-

Correct Answer: C

Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/abouttheessolution/

Question 2 – What types of events can be found on the dashboards for the endpoint security domain?
  • A. REST API invocations.
  • B. Investigation final results status.
  • C. Workstations, notebooks, and point-of-sale systems.
  • D. Lifecycle auditing of incidents, from assignment to resolution.

Correct Answer: D

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/EndpointProtectionDomaindashboards

Question 3 – When creating custom correlation searches, how do field values appear in a notable event’s title, description, and drill-down fields?
  • A. $fieldname$
  • B. ‘fieldname’
  • C. %fieldname%
  • D. _fieldname_

Correct Answer: C

Reference: https://docs.splunk.com/Documentation/ITSI/4.4.2/Configure/Createcorrelationsearch

Question 4 – How is threat intelligence data downloaded from a web server in Enterprise Security?
  • A. Threat Service Manager
  • B. Threat Download Manager
  • C. Threat Intelligence Parser
  • D. Threat Intelligence Enforcement

Correct Answer: B

Question 5 – Data for the most recent hour in the Remote Access panel is not populating in the User Activity dashboard.
What data model needs to be checked for errors such as skipped searches?
  • A. Web
  • B. Risk
  • C. Performance
  • D. Authentication

Correct Answer: A

Reference: https://answers.splunk.com/answers/565482/how-to-resolve-skipped-scheduled-searches.html

Question 6 – Once the correct fields are extracted, what is the next step to including an eventtype in a model node?
  • A. Saving the settings.
  • B. Applying the correct tags.
  • C. Running the correct search.
  • D. Visiting the CIM dashboard.

Correct Answer: C

Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizeOSSECdata

Question 7 – In the incident review dashboard, what role should be assigned to the member of the security team who will take charge of notable events?
  • A. ess_user
  • B. ess_admin
  • C. ess_analyst
  • D. ess_reviewer

Correct Answer: B

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Triagenotableevents

Question 8 – By combining event security with asset or identity lists, what column determines a notable event’s urgency?
  • A. VIP
  • B. Priority
  • C. Importance
  • D. Criticality

Correct Answer: B

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned

Question 9 – How is the risk framework applied to objects (users, servers, or other types) to indicate a higher level of risk?
  • A. An urgency.
  • B. A risk profile.
  • C. An aggregation.
  • D. A numeric score.

Correct Answer: C

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/RiskScoring

Question 10 – How are CIM data models indexed by default?
  • A. notable and default
  • B. summary and notable
  • C. _internal and summary
  • D. All indexes

Correct Answer: D

Reference: https://answers.splunk.com/answers/600354/indexes-searched-by-cim-data-models.html

Question 11 – What is the setting in indexes. conf that specifies alternate locations for accelerated storage?
  • A. thawedPath
  • B. tstatsHomePath
  • C. summaryHomePath
  • D. warmToColdScript

Correct Answer: B

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

Question 12 – What type of test can be used to assess the normalization of a property data model?
  • A. Using Audit -> Normalization Audit and checking the Errors panel.
  • B. Running a data model search, comparing results to the CIM documentation for the datamodel.
  • C. Running a loadjob search, looking at tag values and comparing them to known tags based on the encoding.
  • D. Running a datamodel search and comparing the results to the list of data models in the ES normalization guide.

Correct Answer: B

Reference: https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

Question 13 – How can I restrict the search to only summarized data using the tstats command?
  • A. summaries=t
  • B. summaries=all
  • C. summariesonly=t
  • D. summariesonly=all

Correct Answer: C

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels

Question 14 – How should a newly-found IOC be stored after the investigation?
  • A. Pasting it into Notepad.
  • B. Clicking the Add IOC button.
  • C. Clicking the Add Artifact button.
  • D. Adding it in a text note to the investigation.

Correct Answer: B

Question 15 – Where can I find the list of the correlation searches that are currently enabled with ES?
  • A. Configure -> Correlation Searches -> Select Status ‘Enabled’
  • B. Settings -> Searches, Reports, and Alerts -> Filter by Name of ‘Correlation’
  • C. Configure -> Content Management -> Select Type ‘Correlation’ and Status ‘Enabled’
  • D. Settings -> Searches, Reports, and Alerts -> Select App of ‘SplunkEnterpriseSecuritySuite’ and filter by ‘Rule’

Correct Answer: A

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Listcorrelationsearches

Question 16 – Which of the following is a potential risk associated with using Distributed Configuration Management’s Auto Deployment feature. conf?

A. Indexers might crash.

B. Indexers might be processing.

C. Indexers might not be reachable.

D. Indexers have different settings.

Correct Answer: A

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf

Question 17 – Which of the below-mentioned are data models is used by ES? (Choose all that apply.)
  • A. Web
  • B. Anomalies
  • C. Authentication
  • D. Network Traffic

Correct Answer: B

Reference: https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/datamodelsusedbyes/

Question 18 – What is the most suitable point in the ES installation process when the Splunk_TA_ForIndexers.spl must be deployed to the indexers?
  • A. While adding apps to the deployment server.
  • B. Splunk_TA_ForIndexers.spl is installed first.
  • C. After you’ve installed ES on the search head(s) and then run the distributed configuration management tool.
  • D. Splunk_TA_ForIndexers.spl is only installed on the indexer cluster sites by using the cluster master and also the Splunk applies cluster-bundle command.

Correct Answer: B

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Install/InstallTechnologyAdd-ons

Question 19 – Which of the given correlation search feature can be used for throttling the creation of notable events?
  • A. Schedule priority.
  • B. Window interval.
  • C. Window duration.
  • D. Schedule window.

Correct Answer: C

Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Configurecorrelationsearches

Question 20 – Both Recommended Actions and Adaptive Response Actions make use of adaptive response, but how do they differ?
  • A. Recommended Actions shows a textual description to an analyst, while Adaptive Response Actions encodes them.
  • B. Recommended Actions shows a list of Adaptive Responses to an analyst, while Adaptive Response Actions runs them automatically.
  • C. Recommended Actions shows a list of Adaptive Responses that have already been run, while Adaptive Response Actions runs them automatically.
  • D. Recommended Actions shows a list of Adaptive Responses to an analyst, while Adaptive Response Actions runs manually with analyst intervention.

Correct Answer: D

Reference: https://docs.splunk.com/Documentation/ES/latest/Admin/Configureadaptiveresponse

Splunk Enterprise Security Certified Admin Practice test
Menu