Download Splunk Enterprise Splunk Enterprise Security Certified Admin Practice Exam and more Exams Technology in PDF only on Docsity!
Certified Admin Practice Exam
Question 1. Which component of Splunk Enterprise Security (ES) provides a high‑level view of the organization’s overall security health? A) Incident Review dashboard B) Security Posture dashboard C) Asset Investigator dashboard D) Threat Intelligence dashboard Answer: B Explanation: The Security Posture dashboard aggregates key metrics across security domains and presents an overall health score for the environment. Question 2. In ES, a “notable event” is primarily used to: A) Store raw log data for later analysis B) Trigger automated ticket creation in ITSM tools C) Highlight a security condition that requires investigation D) Archive compliance reports Answer: C Explanation: Notable events are generated by correlation searches to flag conditions that merit analyst attention. Question 3. Which of the following is NOT a default security domain displayed on the Security Posture dashboard? A) Access B) Endpoint C) Cloud Cost D) Vulnerability Answer: C
Certified Admin Practice Exam
Explanation: Cloud Cost is not a built‑in security domain; the default domains include Access, Endpoint, Network, and Vulnerability. Question 4. When customizing the Incident Review dashboard, the “Assign To” field is used to: A) Change the severity of the event B) Transfer ownership of the notable event to a specific analyst C) Add a comment to the event timeline D) Delete the notable event from the system Answer: B Explanation: “Assign To” designates which analyst is responsible for investigating the notable event. Question 5. Which action can be configured on a notable event to automatically block a malicious IP address? A) Add Comment B) Adaptive Response – Block IP C) Change Status to Closed D) Create New Investigation Answer: B Explanation: Adaptive Response actions allow automated remediation such as blocking an IP when the notable event fires. Question 6. The Investigation Workbench in ES is best described as: A) A place to write SPL queries for correlation searches B) A collaborative space where analysts aggregate artifacts, events, and external links for a case C) The settings page for user roles and permissions
Certified Admin Practice Exam
B) Real‑time, interactive visualizations of security data with drill‑down capability C) Bulk import of raw log files D) Scheduling of data model acceleration Answer: B Explanation: Glass Tables provide interactive, visual representations of security data that can be explored via drill‑downs. Question 10. To restrict access to the “Threat Intelligence” dashboard to senior analysts only, you would: A) Modify the dashboard’s XML to hide fields B) Create a new role with the permission “list_dashboard” for that app and assign it to senior analysts C) Delete the dashboard for all other users D) Change the dashboard’s owner to the senior analyst group Answer: B Explanation: Role‑based permissions control who can view specific dashboards; assigning “list_dashboard” for the Threat Intelligence dashboard to a role limits its visibility. Question 11. In a clustered search‑head deployment of ES, which component ensures that configuration changes are propagated to all members? A) Search Head Cluster Master (SHC) B) Indexer Cluster Master (CM) C) Deployment Server D) Forwarder Manager Answer: A Explanation: The SHC distributes app configurations, including ES settings, across all search‑head members.
Certified Admin Practice Exam
Question 12. What is the primary purpose of the Splunk Common Information Model (CIM) in ES? A) To encrypt data at rest B) To provide a unified field naming convention for security data across data sources C) To schedule daily backups of the index D) To generate PDF compliance reports Answer: B Explanation: CIM normalizes disparate data into common field names, enabling ES correlation searches to work across multiple data sources. Question 13. If a newly onboarded firewall log is not generating notable events, the most likely cause is: A) The firewall is not sending logs to the indexer B) The firewall data does not map to the CIM network_* fields required by the correlation searches C) The ES license has expired D) The search head is offline Answer: B Explanation: Without proper CIM mapping (e.g., network_destination, network_source), correlation searches cannot recognize the firewall data. Question 14. Which Splunk app is typically installed before adding Splunk ES to provide data normalization for Windows Event Logs? A) Splunk App for Windows Infrastructure B) Splunk Add-on for Windows Event Logs C) Splunk App for Stream
Certified Admin Practice Exam
Question 17. Which of the following best describes the “Risk Score” field in the Security Posture dashboard? A) A numeric value calculated from the number of open incidents only B) A weighted aggregation of security domain scores reflecting overall risk exposure C) The total number of assets in the environment D) The count of failed login attempts in the last 24 hours Answer: B Explanation: The Risk Score aggregates weighted scores from each security domain to present an overall risk posture. Question 18. The “Identity Framework” in ES is used to: A) Store password hashes for privileged accounts B) Correlate user identifiers across multiple data sources, enabling user‑centric investigations C) Encrypt SAML tokens for single sign‑on D) Manage API keys for external threat feeds Answer: B Explanation: The Identity Framework normalizes usernames, user IDs, and related attributes to allow cross‑source user analysis. Question 19. Which of the following is NOT a recommended practice when designing an ES indexing strategy? A) Use separate indexes for each data source type (e.g., firewall, endpoint) B) Enable index time field extraction for all fields to reduce search time C) Apply data model acceleration on high‑volume CIM models D) Retain raw logs for the minimum compliance period required Answer: B
Certified Admin Practice Exam
Explanation: Field extraction is typically performed at search time (via props.conf) rather than at index time to keep indexing performance optimal. Question 20. In Splunk ES, the “Threat Intelligence” dashboard relies on which lookup type to enrich events with known malicious indicators? A) CSV lookup stored on the indexer B. KV Store lookup named threat_intel_lookup C) External REST API lookup only D) Inline lookup defined in the dashboard XML Answer: B Explanation: ES uses a KV Store collection (threat_intel_lookup) to store and quickly reference threat indicator data. Question 21. Which role in Splunk ES has the permission to create and edit correlation searches? A) ess_user B) ess_admin C) power_user D) all_roles Answer: B Explanation: The ess_admin role includes the “edit_correlationsearch” capability required to manage correlation searches. Question 22. When adding a new data source that sends logs in JSON format, which Splunk configuration file should you edit to define the source type and field extractions? A) indexes.conf B) transforms.conf
Certified Admin Practice Exam
Question 25. Which of the following is a primary reason to enable data model acceleration for the “Authentication” data model in ES? A) To reduce the size of the raw index on disk B) To speed up searches that reference authentication events in correlation searches and dashboards C) To automatically delete old authentication events after 30 days D) To encrypt authentication logs at rest Answer: B Explanation: Data model acceleration creates summary data that speeds up searches on the Authentication model, improving dashboard responsiveness. Question 26. In the Incident Review dashboard, the “Status” field can be set to all of the following EXCEPT: A) Open B) In Progress C) Closed D) Archived Answer: D Explanation: The standard status options are Open, In Progress, and Closed; “Archived” is not a default status. Question 27. Which Splunk ES feature allows analysts to view a timeline of events related to a specific IP address across multiple data sources? A) Asset Investigator B) Identity Investigator C) IP Address Dashboard (part of the Network Investigation view)
Certified Admin Practice Exam
D) Threat Intelligence Dashboard Answer: C Explanation: The Network Investigation view (often called the IP Address Dashboard) aggregates events for a chosen IP across data sources. Question 28. When configuring a new threat intelligence feed, which of the following is required for the feed to be usable in ES? A) The feed must be in XML format B) The feed must be mapped to the “threat_intel” CIM data model C) The feed must be ingested into the “threat_intel” index and have the correct sourcetype for parsing D) The feed must be stored in a local CSV file on the search head Answer: C Explanation: ES expects threat intel to be indexed (commonly in the “threat_intel” index) with a defined sourcetype so it can be parsed and stored in the KV Store. Question 29. Which of the following statements about the “Security Posture” risk score calculation is TRUE? A) It only considers the number of open notable events B) It uses weighted contributions from each security domain based on predefined thresholds C) It is calculated manually by the analyst each day D) It resets to zero after each incident is closed Answer: B Explanation: The risk score aggregates weighted scores from each domain, reflecting the current security posture.
Certified Admin Practice Exam
Answer: C Explanation: Forwarders (universal or heavy) send raw data to indexers for indexing. Question 33. Which of the following is NOT a valid reason to use a KV Store collection for ES lookups? A) To enable fast, indexed lookups on large datasets B) To support concurrent updates from multiple users C) To store binary log files for long‑term retention D) To allow dynamic updates without restarting Splunk Answer: C Explanation: KV Store is for structured lookup data, not for storing raw binary logs. Question 34. When a correlation search generates a notable event, which field determines the “owner” of that event by default? A) owner B) assigned_to C) user D) analyst Answer: A Explanation: The “owner” field is auto‑populated with the user who created or last modified the notable event. Question 35. Which Splunk ES dashboard helps visualize the health of critical services such as DNS, DHCP, and AD? A) Service Overview Glass Table B) Endpoint Investigator
Certified Admin Practice Exam
C) Identity Investigator D) Asset Investigator Answer: A Explanation: Service Overview Glass Tables are designed to visualize the status of critical infrastructure services. Question 36. To enable a new search head to inherit the existing ES configuration in a SHC, you must: A) Manually copy the $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite directory to the new node B) Add the new node to the SHC members list and let the SHC push the configuration automatically C) Restart the indexer cluster master D) Reinstall the ES app on the new node with the “upgrade” option Answer: B Explanation: Adding the node to the SHC members list triggers automatic configuration synchronization. Question 37. Which of the following best describes the purpose of the “Adaptive Response Framework” in ES? A) To provide a UI for editing SPL queries B) To allow correlation searches to invoke external scripts or APIs for automated remediation C) To schedule daily data model acceleration jobs D) To generate PDF reports for compliance audits Answer: B Explanation: Adaptive Response enables automated actions (e.g., block IP, disable account) triggered by notable events.
Certified Admin Practice Exam
D) It is used only for sorting events in the Incident Review dashboard Answer: B Explanation: The “Risk” field reflects the calculated impact based on severity and related evidence, influencing prioritization. Question 41. When troubleshooting why a correlation search is not firing, the first place you should look is: A) The license usage page B) The search’s “Alert Actions” configuration C) The search’s “Schedule” and “Time Range” settings to ensure they match data availability D) The firewall rules on the indexer Answer: C Explanation: Misaligned schedule or time range often prevents the search from seeing data, causing it not to fire. Question 42. Which of the following is the correct SPL syntax to create a notable event from a search manually? A) | notable create title="Suspicious Login" severity=high B) | sendalert notable title="Suspicious Login" severity=high C) | notable add title="Suspicious Login" severity=high D) | outputlookup notable_events.csv Answer: A Explanation: The | notable create command creates a notable event with the specified fields. Question 43. The “Security Posture” dashboard can be customized to add a new security domain. Which file must be edited to define the new domain’s underlying data model? A) security_posture.conf
Certified Admin Practice Exam
B) data_model.conf C) security_posture.xml in the ES app’s default directory D) risk_score_calculation.conf Answer: C Explanation: The dashboard’s XML defines which data models feed each domain; adding a new domain requires editing the dashboard definition XML. Question 44. Which of the following is a recommended practice when creating a custom correlation search that references a large lookup table? A) Load the entire lookup into memory using the inputlookup command without filtering B) Use the lookup command with a pre‑filter to limit rows before the main search logic C) Store the lookup as a CSV file on the indexer’s filesystem D) Disable data model acceleration for the lookup Answer: B Explanation: Pre‑filtering the lookup reduces memory usage and improves performance. Question 45. In the context of ES, what does the term “Notable Event Lifecycle” refer to? A) The steps from data ingestion to indexing B) The sequence of states a notable event passes through: creation → assignment → investigation → closure C) The process of licensing ES features D) The lifecycle of a Splunk forwarder Answer: B Explanation: The notable event lifecycle describes its progression from generation to resolution.
Certified Admin Practice Exam
Explanation: The “threat_intel” data model aligns indicator fields with the CIM, enabling enrichment. Question 49. When creating a new Glass Table, which of the following must be defined to enable drill‑down to a detailed dashboard? A) A JSON file containing the table’s layout B) An “onClick” action that references the target dashboard and passes context variables C) A scheduled search that updates the Glass Table every minute D) A lookup table that stores the Glass Table’s configuration Answer: B Explanation: Drill‑downs are configured via “onClick” actions that open a dashboard with the appropriate context. Question 50. Which of the following is the most appropriate way to reduce false positives in a correlation search that monitors failed login attempts? A) Increase the search’s schedule interval to once per day B) Add a threshold that only fires when failed attempts exceed a configurable count within a short time window C) Disable the search during business hours D) Change the severity from high to low Answer: B Explanation: Adding a count‑based threshold helps filter out isolated failures, reducing false positives. Question 51. Which Splunk configuration file controls the maximum number of concurrent searches a search head can run, impacting ES correlation search performance? A) limits.conf
Certified Admin Practice Exam
B) server.conf C) indexes.conf D) inputs.conf Answer: A Explanation: limits.conf contains settings such as max_concurrent_searches that affect search head capacity. Question 52. In ES, the “Asset” tab of the Incident Review page shows which of the following information? A) The list of all users who have accessed the incident B) Enriched details about the assets involved in the notable event, such as host name and OS C) The raw log lines that triggered the event D) The licensing status of the ES app Answer: B Explanation: The Asset tab displays metadata from the Asset framework related to the event. Question 53. Which of the following is a valid reason to use a Heavy Forwarder instead of a Universal Forwarder for ES data ingestion? A) To perform on‑forwarder field extractions and CIM mapping before data reaches the indexer B) To reduce network bandwidth usage by compressing data C) To enable real‑time alerting on the forwarder itself D) To store raw logs locally for 90 days Answer: A Explanation: Heavy Forwarders can run props/transforms for field extraction and CIM mapping prior to forwarding.
