SPLK-3001 Free Practice Test

Who can delete an investigation?

1. A. ess_admin users only.
2. B. The investigation owner only.
3. C. The investigation owner and ess-admin.
4. D. The investigation owner and collaborators.

Correct Answer: A
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

Which of the following actions can improve overall search performance?

1. A. Disable indexed real-time search.
2. B. Increase priority of all correlation searches.
3. C. Reduce the frequency (schedule) of lower-priority correlation searches.
4. D. Add notable event suppressions for correlation searches with high numbers of false positives.

Correct Answer: A

How is it possible to navigate to the list of currently-enabled ES correlation searches?

1. A. Configure -> Correlation Searches -> Select Status “Enabled”
2. B. Settings -> Searches, Reports, and Alerts -> Filter by Name of “Correlation”
3. C. Configure -> Content Management -> Select Type “Correlation” and Status “Enabled”
4. D. Settings -> Searches, Reports, and Alerts -> Select App of “SplunkEnterpriseSecuritySuite” and filter by “-Rule”

Correct Answer: A
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Listcorrelationsearches

“10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against what in ES?

1. A. A user.
2. B. A device.
3. C. An asset.
4. D. An identity.

Correct Answer: B

How is notable event urgency calculated?

1. A. Asset priority and threat weight.
2. B. Alert severity found by the correlation search.
3. C. Asset or identity risk and severity found by the correlation search.
4. D. Severity set by the correlation search and priority assigned to the associated asset or identity.

Correct Answer: D
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/Howurgencyisassigned