SPLK-3001 Questions and Answers

Threat intel is the lookup type in Enterprise Security that contains information about known hostile IP addresses, as well as other indicators of compromise (IOCs) such as domains, URLs, hashes, and email addresses. Threat intel is collected from various sources, such as Splunk Enterprise Security, Splunk Add-on for Enterprise Security, Splunk Enterprise Security Content Update, and third-party threat intelligence providers. Threat intel is used to enrich events and generate notable events when a match is found between an IOC and an event field. You can view and manage the threat intel sources and lookups in Enterprise Security using the Threat Intelligence framework. References =

• Threat Intelligence framework in Splunk ES
• Threat Intelligence overview

Recommended Actions show a list of Adaptive Responses to an analyst, which are possible actions that can be taken in response to a notable event. Adaptive Response Actions run automatically when a correlation search triggers a notable event, and can perform actions such as sending an email, adding a comment, or modifying a risk score. Recommended Actions are configured in the correlation search editor, while Adaptive Response Actions are configured in the alert actions manager. References =

• Included adaptive response actions with Splunk Enterprise Security
• Set up Adaptive Response actions in Splunk Enterprise Security
• Configure adaptive response actions for a correlation search in Splunk Enterprise Security

 The Threat Download Manager is a feature of Splunk Enterprise Security that downloads threat intelligence data from a web server. The Threat Download Manager is a modular input that runs on a schedule and fetches threat intelligence data from various sources, such as STIX/TAXII servers, RSS feeds, or custom URLs. The Threat Download Manager then passes the downloaded data to the Threat Intelligence Parser for further processing12. References = 1: Add threat intelligence to Splunk Enterprise Security - Splunk Documentation - Configure the threat intelligence sources included with Splunk Enterprise Security. 2: Using threat intelligence in Splunk Enterprise Security - Splunk Lantern - Where do I get threat intelligence?

 Notable event urgency is calculated by combining the severity set by the correlation search and the priority assigned to the associated asset or identity. The severity is a value that indicates the impact or importance of the event, such as low, medium, high, or critical. The priority is a value that indicates the significance or sensitivity of the asset or identity involved in the event, such as unknown, low, medium, high, or critical. The urgency is a value that indicates the level of attention or action required for the event, such as informational, low, medium, high, or critical. The urgency is determined by using the urgency_lookup, which maps the severity and priority values to the urgency values. For example, if the severity is high and the priority is medium, the urgency is high. If the severity is critical and the priority is critical, the urgency is critical. You can use the urgency field to prioritize the investigation of notable events in Splunk Enterprise Security1. References =

• How urgency is assigned to notable events in Splunk Enterprise Security

According to the Splunk Enterprise Security documentation, threat gen searches are searches that generate synthetic events in the threat activity index to simulate security threats. Threat gen searches are useful for testing and validating the correlation searches, notable events, and adaptive response actions in Splunk Enterprise Security. Threat gen searches produce events in the threat activity index, which is a dedicated index for storing the synthetic events. The events in the threat activity index have the sourcetype of threatgen and the tag of threat. You can use the Threat Activity dashboard to view and analyze the events in the threat activity index. See Threat gen searches for more details.

The other options are not correct, because threat gen searches do not produce them. Threat gen searches do not produce threat intel in KV Store collections, which are key-value pairs of data that store and manage threat intelligence in Splunk Enterprise Security. Threat gen searches do not produce threat correlation searches, which are searches that correlate events with threat intelligence and generate notable events in Splunk Enterprise Security. Threat gen searches do not produce threat notables in the notable index, which are alerts or tasks that indicate potential security incidents or threats in Splunk Enterprise Security. Therefore, the correct answer is D. Events in the threat activity index. References = Threat gen searches.

Upping the Auditing Game for Correlation Searches Within ... - Splunk

The risk framework in Splunk Enterprise Security adds a numeric score to an object (user, server or other type) to indicate increased risk. The numeric score is calculated by summing up the risk scores of all the risk modifiers that are associated with the object. A risk modifier is an event that modifies the risk of an object, such as a malware infection, a failed login, or a suspicious activity. The risk score of a risk modifier is determined by the correlation search that triggers the risk analysis response action, which can be customized or created by the user12. The numeric score of an object reflects its overall risk level and can be used to prioritize investigation and response actions3. References = 1: Risk Analysis framework in Splunk ES - Splunk Documentation - Terminology for the Risk Analysis framework. 2: Risk Analysis framework in Splunk ES - Splunk Documentation - Write a correlation search. 3: About risk-based alerting in Splunk Enterprise Security - Splunk Documentation.

The Auto Deployment feature of Distributed Configuration Management is a tool that allows you to automatically distribute configuration files, such as indexes.conf, to your Splunk platform instances. However, using this feature to distribute indexes.conf can pose a risk of having indexes with different settings across your instances. This can happen if you have manually edited the indexes.conf file on some of your instances, or if you have different versions of Splunk Enterprise Security installed on different instances. If the indexes have different settings, such as retention policies, storage paths, or bucket sizes, this can cause data inconsistency, search inefficiency, or data loss. Therefore, it is recommended to use the Manual Deployment feature of Distributed Configuration Management to review and validate the indexes.conf file before deploying it to your instances12. References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2: Distributed Configuration Management - Splunk Documentation - Manual Deployment.

A correlation search is a scheduled search that runs periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. A correlation search can generate false positives, which are notable events that do not represent a real security incident or threat. False positives can create noise and reduce the efficiency and accuracy of the security analysis. To reduce false positives from a correlation search, you can modify the correlation schedule and sensitivity for your site. The correlation schedule determines how often the correlation search runs and over what time range. The sensitivity determines the threshold or limit for the search conditions to trigger a notable event. By adjusting the correlation schedule and sensitivity, you can fine-tune the correlation search to match your environment and data sources, and avoid generating notable events for normal or benign activities. You can modify the correlation schedule and sensitivity for a correlation search using the Content Management page in Splunk Enterprise Security. References =

• Modify the correlation schedule and sensitivity for your site
• Correlation search overview for Splunk Enterprise Security

Dealing with Security False Positives in Splunk (Enterprise Security ...2

Upping the Auditing Game for Correlation Searches Within ... - Splunk

Detailed information about identities, such as user names, email addresses, phone numbers, and roles, is stored in the Identity Lookup CSV file in Splunk Enterprise Security. The Identity Lookup CSV file is a lookup file that contains the identity data that is collected and extracted from various data sources, such as Active Directory, LDAP, or custom identity lists. The Identity Lookup CSV file is used to enrich events with identity information and generate notable events based on identity correlation searches. You can view and manage the Identity Lookup CSV file using the Asset and Identity Management page in Splunk Enterprise Security. References =

• Manage assets and identities in Splunk Enterprise Security
• Identity Lookup CSV file

According to the Splunk Enterprise Security documentation, the Distributed Configuration Management tool is used to update indexers in ES. This tool allows you to create and distribute a Splunk Enterprise Security app for indexers, which contains the necessary configurations for indexers to work with ES, such as index-time field extractions, tags, and event types. The app name is Splunk_ES_ForIndexers.spl and it is created by running the distributed_config_manager.py script on the search head. You can then deploy the app to the indexers using the deployment server or the cluster master. Therefore, the correct answer is B. Distributed Configuration Management. References = Distributed Configuration Management.

A technology add-on (TA) is a Splunk app that contains the configurations for ingesting and normalizing data from a specific data source or vendor. A TA can include sourcetype definitions, index-time and search-time field extractions, event types, tags, lookups, and other settings that help to map the data to the Splunk Common Information Model (CIM). The CIM is a set of predefined data models that provide a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the CIM to enable cross-source analysis and correlation of security events. Therefore, the correct answer is D. Technology add-on. References =

• Technology add-ons overview
• Splunk Common Information Model Add-on
• Normalizing Enterprise Security data with technology add-ons

Onboarding data to Splunk Enterprise Security

 The main purpose of the Dashboard Requirements Matrix document is to identify on which data model(s) each dashboard in Splunk Enterprise Security depends. The Dashboard Requirements Matrix document is a web page that lists all the dashboards in Splunk Enterprise Security and the data model datasets that populate them. The data model datasets are linked to the Common Information Model (CIM) documentation, which describes the tags, field names, and field values that the events must use to be CIM-compliant. The Dashboard Requirements Matrix document helps you to determine which data models you need to enable and accelerate for your Splunk Enterprise Security deployment, and which data sources you need to map to the data models using the technology add-ons. References =

• Dashboard requirements matrix for Splunk Enterprise Security
• Data models in the Splunk Common Information Model

Data integrity control is a feature of Splunk Enterprise that helps you verify the integrity of data that it indexes. When you enable data integrity control for an index, Splunk Enterprise computes hashes on every slice of data using the SHA-256 algorithm. It then stores those hashes so that you can verify the integrity of your data later. This feature prevents data tampering and ensures that the data is trustworthy and reliable. Therefore, the correct answer is B. Data integrity control. References = Manage data integrity - Splunk Documentation.

The data models that are used by Splunk Enterprise Security are the ones that are defined and provided by the Common Information Model add-on (Splunk_SA_CIM) and the Enterprise Security-specific data models. The Common Information Model add-on contains 12 data models that cover various domains of security data, such as Web, Authentication, Network Traffic, Change, DLP, Email, Endpoint, Intrusion Detection, Malware, Performance, Ticket Management, and Vulnerabilities1. The Enterprise Security-specific data models are Anomalies, Audit, Business Context, Data Loss Prevention, Identity Management, Risk, Threat Intelligence, and Web Proxy2. Therefore, the data models that are used by ES are Web, Authentication, Network Traffic, and Anomalies, among others. References = 1: Overview of the Splunk Common Information Model - Splunk Documentation - Data models included with the Splunk Common Information Model Add-on. 2: Data models in Splunk Enterprise Security - Splunk Documentation - Enterprise Security-specific data models.

The priority column in the asset or identity list is combined with the event severity to make a notable event’s urgency in Splunk Enterprise Security. The urgency is a measure of how important it is to address a notable event, and it is calculated based on a matrix that maps the priority of the asset or identity involved in the event and the severity of the event. The urgency can be one of the following values: low, medium, high, or critical12. For example, by default, medium, high, and critical priority, combined with critical severity, will generate a critical urgency ranking3. References = 1: Incident Review - Splunk Documentation - Urgency. 2: Configure notable event urgency - Splunk Documentation. 3: Solved: Splunk Enterprise Security: Is there a way to forc… - Splunk Community.

Glass tables can display static images and text, the results of ad-hoc searches, and security metrics. Security metrics are visualizations that show the values of KPIs, service health scores, or notable events. You can add security metrics to a glass table by using the Security Metrics menu in the glass table editor. You can also configure the appearance, behavior, and drilldown options of the security metrics. Glass tables cannot display lookup searches, summarized data, or metrics store searches directly, although you can use these types of searches as data sources for ad-hoc searches and then display the results on a glass table. References =

• Add security metrics to a glass table in Splunk Enterprise Security
• Create and manage glass tables in Splunk Enterprise Security

The Risk Analysis dashboard uses the Risk data model to populate the panels. The Risk data model is a data model that contains information about the risk scores and risk modifiers of various objects, such as systems, users, hashes, and network artifacts. The Risk data model accelerates these fields for the Risk Analysis and Incident Review dashboards. The Risk data model also handles case insensitive asset and identity correlation, allowing risk modifiers that are applied to system or user name variants to be correctly attributed to the same risk_object1. The other options, B, C, and D, are not correct. The Audit data model contains information about audit events, such as user logins, password changes, and system access. The Domain Analysis data model contains information about the domains that are visited by the systems in the network. The Threat Intelligence data model contains information about the threat intelligence sources, indicators, and matches. References =

• Risk Analysis dashboard
• Risk data model
• Risk Analysis framework

According to the Splunk Enterprise Security Admin documentation, the minimum hardware requirements for a dedicated search head running ES are as follows: OS: 64 bit, RAM: 32 GB, CPU: 16 cores. These requirements are based on the assumption that the search head is not performing any other tasks besides running ES. The documentation also recommends having at least 500 GB of disk space for the search head. References = Splunk Enterprise Security Admin documentation

According to the Splunk Enterprise Security documentation, the Use Case Library is a feature that contains scenarios that are useful during ES implementation. The Use Case Library provides a collection of Analytic Stories that provide actionable guidance for detecting, analyzing, and addressing security threats. An Analytic Story contains the searches, data sources, and explanations that you need to implement the scenario in your own ES environment. The Use Case Library also allows you to explore, activate, bookmark, and configure the searches that are related to each Analytic Story. You can filter the Analytic Stories by industry use cases, frameworks, or data sources. The Use Case Library helps you to quickly and easily deploy the most relevant security content for your organization. Therefore, the correct answer is A. Use Case Library. References = Manage Analytic Stories through the use case library in Splunk Enterprise Security.

Splunk Enterprise Security: SIEM Use Case Library | Splunk

 According to the Splunk Enterprise Security documentation, the recommended way to install ES is on a server with a new install of Splunk. This is because ES requires a dedicated search head that is not shared with other apps or users. Installing ES on a server with a new install of Splunk ensures that there are no conflicts or performance issues with other apps or configurations. If you want to install ES on an existing search head, you need to follow some additional steps, such as redirecting distributed search connections, purging KV Store, and backing up existing data. See Install Splunk Enterprise Security for more details. Therefore, the correct answer is C. On a server with a new install of Splunk. References = Install Splunk Enterprise Security.

 The point in the ES installation process when Splunk_TA_ForIndexes.spl should be deployed to the indexers is after installing ES on the search head(s) and running the distributed configuration management tool. Splunk_TA_ForIndexes.spl is a Splunk add-on that contains the index-time configurations for the data models used by ES. It is required to be installed on all indexers that receive data from ES data sources, such as network devices, endpoints, threat intelligence feeds, and so on. The recommended way to deploy Splunk_TA_ForIndexes.spl to the indexers is to use the distributed configuration management tool in ES, which is a feature that allows you to automatically distribute configuration files, such as indexes.conf, props.conf, and transforms.conf, to your Splunk platform instances. To use the distributed configuration management tool, you need to first install ES on the search head(s) and then run the tool from the ES menu bar. The tool will prompt you to select the configuration files that you want to deploy, including Splunk_TA_ForIndexes.spl, and the instances that you want to deploy them to, such as indexers, forwarders, or other search heads. The tool will also validate the configuration files and restart the instances as needed12. References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2: Install Splunk Enterprise Security - Splunk Documentation - Install the Splunk Add-on for Indexes.

According to the Splunk Enterprise Security documentation, the default schedule for accelerating ES data models is every 5 minutes. This means that the data model acceleration searches run every 5 minutes to summarize the newly indexed data and store the results in the tsidx files. The 5-minute schedule is recommended for most use cases, as it provides a balance between search performance and resource consumption. However, you can change the schedule of a data model acceleration search in the Content Management page of Splunk Enterprise Security, if needed. See Configure data models for Splunk Enterprise Security for more details. References = Configure data models for Splunk Enterprise Security.

 According to the Splunk Enterprise Security documentation, the way to make the Threat Activity dashboard the default landing page in ES is to use the Edit Navigation page and click the ‘Set this as the default view’ checkmark for Threat Activity. The Edit Navigation page allows you to customize the menu bar of ES and add links to custom dashboards, reports, or other views. You can also set the default view for each app context, which determines the landing page when you open the app. To set the Threat Activity dashboard as the default view, you need to do the following steps:

• On the Enterprise Security menu bar, select Configure > General > Navigation.
• In the Edit Navigation page, select the Enterprise Security app context from the drop-down menu.
• In the Navigation XML section, find the line that contains the view name ‘threat_activity’.
• Add the attribute default=“true” to the line and remove the same attribute from any other line in the same app context.
• Click Save Changes to apply the changes to the Edit Navigation page.

This will make the Threat Activity dashboard the default landing page when you open the Enterprise Security app. See Customize the navigation bar for more details.

The other options are not the correct ways to make the Threat Activity dashboard the default landing page in ES. Dragging and dropping the Threat Activity view to the top of the page will not change the default view, but only the order of the menu items. Selecting Enterprise Security as the default application will not change the default view within the app, but only the app that opens when you log in to Splunk. Editing the Threat Activity view settings will not change the default view, but only the title, description, permissions, and schedule of the dashboard. Therefore, the correct answer is C. From the Edit Navigation page, click the 'Set this as the default view" checkmark for Threat Activity. References = Customize the navigation bar.

The Status Configuration window in Splunk Enterprise Security allows you to manage and customize the investigation statuses and the status transitions for notable events. You can specify which roles can change the status of a notable event from one status to another. For example, you can restrict the ess_user role from changing the status of Resolved notable events to Closed by removing the ess_user role from the status transitions for the Closed status. This way, only the roles that have the permission to change the status to Closed can close the Resolved notable events. References =

• Manage and customize investigation statuses in Splunk Enterprise Security