What is the main purpose of the Dashboard Requirements Matrix document?
A. Identifies on which data model(s) each dashboard depends.
B. Provides instructions for customizing each dashboard for local data models.
C. Identifies the searches used by the dashboards.
D. Identifies which data model(s) depend on each dashboard.
Which of these Is a benefit of data normalization?
A. Reports run faster because normalized data models can be optimized for better performance.
B. Dashboards take longer to build.
C. Searches can be built no matter the specific source technology for a normalized data type.
D. Forwarder-based inputs are more efficient.
What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?
A. ess_user
B. ess_admin
C. ess_analyst
D. ess_reviewer
Which of the following ES features would a security analyst use while investigating a network anomaly notable?
A. Correlation editor.
B. Key indicator search.
C. Threat download dashboard.
D. Protocol intelligence dashboard.
If a username does not match the `identity' column in the identities list, which column is checked next?
A. Email.
B. Nickname
C. IP address.
D. Combination of Last Name, First Name.
Both "Recommended Actions" and "Adaptive Response Actions" use adaptive response.
How do they differ?
A. Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.
B. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.
C. Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.
D. Recommended Actions show a list of Adaptive Resposes to an analyst, Adaptive Response Actions run manually with analyst intervention.
How is it possible to navigate to the ES graphical Navigation Bar editor?
A. Configure -> Navigation Menu
B. Configure -> General -> Navigation
C. Settings -> User Interface -> Navigation -> Click on "Enterprise Security"
D. Settings -> User Interface -> Navigation Menus -> Click on "default" next to SplunkEnterpriseSecuritySuite
Which of the following lookup types in Enterprise Security contains information about known hostile IP addresses?
A. Security domains.
B. Threat intel.
C. Assets.
D. Domains.
What should be used to map a non-standard field name to a CIM field name?
A. Field alias.
B. Search time extraction.
C. Tag.
D. Eventtype.
"10.22.63.159", "websvr4", and "00:26:08:18: CF:1D" would be matched against what in ES?
A. A user.
B. A device.
C. An asset.
D. An identity.
Which of the following are examples of sources for events in the endpoint security domain dashboards?
A. REST API invocations.
B. Investigation final results status.
C. Workstations, notebooks, and point-of-sale systems.
D. Lifecycle auditing of incidents, from assignment to resolution.
What is the first step when preparing to install ES?
A. Install ES.
B. Determine the data sources used.
C. Determine the hardware required.
D. Determine the size and scope of installation.
What is an example of an ES asset?
A. MAC address
B. User name
C. Server
D. People
What kind of value is in the red box in this picture?
A. A risk score.
B. A source ranking.
C. An event priority.
D. An IP address rating.
Which of the following is part of tuning correlation searches for a new ES installation?
A. Configuring correlation notable event index.
B. Configuring correlation permissions.
C. Configuring correlation adaptive responses.
D. Configuring correlation result storage.