Where is detailed information about identities stored?
A.
The Identity Investigator index.
B.
The Access Anomalies collection.
C.
The User Activity index.
D.
The Identity Lookup CSV file.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 9
A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives. What is a solution for this issue?
A.
Suppress notable events from that correlation search.
B.
Disable acceleration for the correlation search to reduce storage requirements.
C.
Modify the correlation schedule and sensitivity for your site.
D.
Change the correlation search's default status and severity.
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 10
Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?
What should be used to map a non-standard field name to a CIM field name?
A.
Field alias.
B.
Search time extraction.
C.
Tag.
D.
Eventtype.
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 12
A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives. Which of the following options is most likely to help performance?
A.
Change the search heads to do local indexing of summary searches.
B.
Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.
C.
Increase memory and CPUs on the search head(s) and add additional indexers.
D.
If indexed realtime search is enabled, disable it for the notable index.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 13
Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to Closed?
A.
In Enterprise Security, give the ess_user role the Own Notable Events permission.
B.
From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status.
C.
From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.
D.
From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 14
What can be exported from ES using the Content Management page?
A.
Only correlation searches, managed lookups, and glass tables.
B.
Only correlation searches.
C.
Any content type listed in the Content Management page.
D.
Only correlation searches, glass tables, and workbench panels.