EMT Practice Test

1. Question Content...


Question List

Question1: Which settings indicates that the correlation search will be executed as new events are indexed?

Question2: Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

Question3: If a username does not match the 'identity' column in the identities list, which column is checked next?

Question4: Enterprise Security's dashboards primarily pull data from what type of knowledge object?

Question5: How is notable event urgency calculated?

Question6: An administrator is asked to configure an "Nslookup" adaptive response action, so that it appears as a selectable option in the notable event's action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

Question7: What can be exported from ES using the Content Management page?

Question8: Which of the following are examples of sources for events in the endpoint security domain dashboards?

Question9: Which indexes are searched by default for CIM data models?

Question10: What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

Question11: What is the first step when preparing to install ES?

Question12: Which of the following is a way to test for a property normalized data model?

Question13: The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data.
What data model should be checked for potential errors such as skipped searches?

Question14: How should an administrator add a new lookup through the ES app?

Question15: Which settings indicated that the correlation search will be executed as new events are indexed?

Question16: What kind of value is in the red box in this picture?

Question17: Which of the following is part of tuning correlation searches for a new ES installation?

Question18: Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

Question19: What does the Security Posture dashboard display?

Question20: What does the risk framework add to an object (user, server or other type) to indicate increased risk?

Question21: When investigating, what is the best way to store a newly-found IOC?

Question22: What should be used to map a non-standard field name to a CIM field name?

Question23: At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

Question24: Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

Question25: An administrator wants to ensure that none of the ES indexed data could be compromised through tampering. What feature would satisfy this requirement?

Question26: Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?

Question27: What tools does the Risk Analysis dashboard provide?

Question28: What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

Question29: Which of the following are examples of sources for events in the endpoint security domain dashboards?

Question30: Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

Question31: Which of the following are data models used by ES? (Choose all that apply.)

Question32: After managing source types and extracting fields, which key step comes next In the Add-On Builder?

Question33: What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

Question34: Which data model populated the panels on the Risk Analysis dashboard?

Question35: Which of the following threat intelligence types can ES download? (Choose all that apply)

Question36: What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

Question37: ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?

Question38: How is it possible to navigate to the list of currently-enabled ES correlation searches?

Question39: Which of the following is a key feature of a glass table?

Question40: Who can delete an investigation?

Question41: What is the first step when preparing to install ES?

Question42: The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

Question43: Which indexes are searched by default for CIM data models?

Question44: Which of the following threat intelligence types can ES download? (Choose all that apply)

Question45: What do threat gen searches produce?

Question46: Which of the following features can the Add-on Builder configure in a new add-on?

Question47: When investigating, what is the best way to store a newly-found IOC?

Question48: Both "Recommended Actions" and "Adaptive Response Actions" use adaptive response. How do they differ?

Question49: After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?

Question50: What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

Question51: Which of the following are the default ports that must be configured for Splunk Enterprise Security to function?

Question52: Which of the following ES features would a security analyst use while investigating a network anomaly notable?

Question53: When installing Enterprise Security, what should be done after installing the add-ons necessary for normalizing data?

Question54: What do threat gen searches produce?

Question55: Accelerated data requires approximately how many times the daily data volume of additional storage space per year?

Question56: Adaptive response action history is stored in which index?

Question57: Where is the Add-On Builder available from?

Question58: Which of the following would allow an add-on to be automatically imported into Splunk Enterprise Security?

Question59: When ES content is exported, an app with a .splextension is automatically created.
What is the best practice when exporting and importing updates to ES content?

Question60: Which column in the Asset or Identity list is combined with event security to make a notable event's urgency?

Question61: Which two fields combine to create the Urgency of a notable event?

Question62: Which of the following is part of tuning correlation searches for a new ES installation?

Question63: At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

Question64: Which columns in the Assets lookup are used to identify an asset in an event?

Question65: Which settings indicated that the correlation search will be executed as new events are indexed?

Question66: A newly built custom dashboard needs to be available to a team of security analysts In ES. How is It possible to Integrate the new dashboard?

Question67: Which of the following ES features would a security analyst use while investigating a network anomaly notable?

Question68: Which of the following are data models used by ES? (Choose all that apply)

Question69: A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

Question70: Which of the following is a recommended pre-installation step?

Question71: When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

Question72: What are the steps to add a new column to the Notable Event table in the Incident Review dashboard?

Question73: After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

Question74: After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

Question75: Analysts have requested the ability to capture and analyze network traffic dat a. The administrator has researched the documentation and, based on this research, has decided to integrate the Splunk App for Stream with ES.
Which dashboards will now be supported so analysts can view and analyze network Stream data?

Question76: Which data model populates the panels on the Risk Analysis dashboard?

Question77: What are adaptive responses triggered by?

Question78: "10.22.63.159", "websvr4", and "00:26:08:18: CF:1D" would be matched against what in ES?

Question79: What kind of value is in the red box in this picture?

Question80: When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

Question81: What feature of Enterprise Security downloads threat intelligence data from a web server?

Question82: Where is the Add-On Builder available from?

Question83: Which of the following actions would not reduce the number of false positives from a correlation search?

Question84: How is it possible to navigate to the list of currently-enabled ES correlation searches?

Question85: What does the risk framework add to an object (user, server or other type) to indicate increased risk?

Question86: Where should an ES search head be installed?

Question87: What does the risk framework add to an object (user, server or other type) to indicate increased risk?

Question88: Where is it possible to export content, such as correlation searches, from ES?

Question89: ES apps and add-ons from $SPLUNK_HOME/etc/appsshould be copied from the staging instance to what location on the cluster deployer instance?

Question90: What is the main purpose of the Dashboard Requirements Matrix document?

Question91: ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?