Splunk SPLK-3001 - Splunk Enterprise Security Certified Admin Exam

The tstatsHomePath setting in indexes.conf allows you to specify an alternate location for accelerated storage. Accelerated storage is where Splunk Enterprise stores the summary data for data models that are accelerated. The summary data is used to speed up searches and reports that use the data models. By default, the accelerated storage is located in the same volume as the index that contains the events referenced by the data model. However, you can use the tstatsHomePath setting to change the location of the accelerated storage to a different volume or path. This can help you optimize the performance and disk space usage of your Splunk Enterprise deployment. References =

Use the tstatsHomePath setting in indexes.conf if you need to specify alternate locations for your accelerated storage

tstatsHomePath setting in indexes.conf.spec

The argument to the | tstats command that restricts the search to summarized data only is summariesonly=t. Summarized data is the data that is generated by the data model acceleration process, which creates summary indexes (TSIDX files) for the data models. By using summariesonly=t, the tstats command will only search the summary indexes, which can improve the performance and efficiency of the search. However, this also means that the search will not return any events that are not covered by the data model acceleration, such as events outside the acceleration time range or events that do not match the data model constraints12. References = 1: tstats - Splunk Documentation - summariesonly. 2: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list.

Fun (or Less Agony) with Splunk Tstats | Deductiv

 According to the Splunk Enterprise Security documentation, the bar across the bottom of any ES window is called the Investigation Bar. The Investigation Bar is a tool that helps you create and manage investigations in ES. An investigation is a collection of related notable events, comments, and artifacts that document a security incident or a threat hunting activity. You can use the Investigation Bar to do the following tasks:

Create a new investigation or open an existing one.

Add notable events, comments, and artifacts to an investigation.

Assign an owner and a status to an investigation.

Share an investigation with other users or roles.

Export an investigation as a PDF report.

The Investigation Bar also provides a link to the Investigation Workbench, which is a dashboard that shows a timeline and a summary of an investigation. Therefore, the correct answer is B. The Investigation Bar. References = Use the Investigation Bar.

Splunk Enterprise Security requires a dedicated search head with no other apps installed. This is because ES is a resource-intensive application that may cause performance issues and conflicts with other apps. Installing ES on a search head with other apps may also result in data loss or corruption. Therefore, it is recommended to install ES on a clean search head with only the default built-in apps and the Common Information Model (CIM) app. The CIM app is a prerequisite for ES and provides a common language for describing data across domains and technologies. The other options, B, C, and D, are not correct. Installing ES on a search head with any other apps, including TA-* or CIM-compliant apps, is not supported and may cause problems. References =

Install Splunk Enterprise Security

Splunk Enterprise Security Installation and Upgrade Manual

The setting that is used in indexes.conf to specify alternate locations for accelerated storage is tstatsHomePath. Accelerated storage is the location where Splunk Enterprise stores the summary data for accelerated data models and reports. By default, acceleration storage is allocated in the same location as the index containing the raw events being accelerated. However, if you need to specify alternate locations for your accelerated storage, you can use the tstatsHomePath setting in indexes.conf. This setting allows you to define a different path for the summary data, which can improve the performance and efficiency of the data model acceleration. For example, you can set the tstatsHomePath to a faster disk or a different volume than the index homePath12. References = 1: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list. 2: indexes.conf - Splunk Documentation - tstatsHomePath.

The Add-On Builder is available from SplunkBase, which is the official source of apps and add-ons for the Splunk platform. SplunkBase allows you to browse, download, and install apps and add-ons that are compatible with your Splunk deployment. You can also upload and share your own apps and add-ons with the Splunk community. The Add-On Builder is a Splunk app that helps you build and validate technology add-ons for your Splunk Enterprise deployment. Technology add-ons are specialized add-ons that help to collect, transform, and normalize data feeds from specific sources in your environment. The Add-On Builder guides you through the process of creating an add-on, following best practices and naming conventions, maintaining CIM compliance, and testing and validating the add-on1. The Add-On Builder is not available from GitHub, www.splunk.com, or the ES installation package. References =

Splunk Add-on Builder | Splunkbase

Splunk Add-on Builder | Splunkbase

 To configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard, the administrator would take the following steps:

On the Splunk Enterprise Security menu bar, click Configure > Content > Content Management.

Filter the content by Type: Correlation Search and select the correlation search that you want to add the Nslookup action to.

Click Edit and go to the Notable tab.

Under Recommended Actions, click Add New Action and select Nslookup from the drop-down menu.

Enter the required fields for the Nslookup action, such as the host field, the DNS server, and the output index.

Click Save to save the changes to the correlation search.

The Nslookup action will now appear as an option in the notable event’s action menu on the Incident Review dashboard. References =

Set up Adaptive Response actions in Splunk Enterprise Security

Included adaptive response actions with Splunk Enterprise Security

If the number of failed logins is greater than or equal to the threshold value, the search triggers a notable event. To make the search less sensitive, the threshold value can be increased, so that only more frequent failed logins will trigger a notable event. For example, the default threshold value is 4, which means that 4 or more failed logins within a 1-minute window will trigger a notable event. If the threshold value is changed to 10, then only 10 or more failed logins within a 1-minute window will trigger a notable event. References =

Splunk Enterprise Security Admin Manual

Detecting brute force access behavior

A correlation search is a scheduled search that runs periodically to detect patterns of interest in the data and generate notable events or other actions when the search conditions are met. A correlation search can generate false positives, which are notable events that do not represent a real security incident or threat. False positives can create noise and reduce the efficiency and accuracy of the security analysis. To reduce false positives from a correlation search, you can modify the correlation schedule and sensitivity for your site. The correlation schedule determines how often the correlation search runs and over what time range. The sensitivity determines the threshold or limit for the search conditions to trigger a notable event. By adjusting the correlation schedule and sensitivity, you can fine-tune the correlation search to match your environment and data sources, and avoid generating notable events for normal or benign activities. You can modify the correlation schedule and sensitivity for a correlation search using the Content Management page in Splunk Enterprise Security. References =

Modify the correlation schedule and sensitivity for your site

Correlation search overview for Splunk Enterprise Security

Dealing with Security False Positives in Splunk (Enterprise Security ...2

Upping the Auditing Game for Correlation Searches Within ... - Splunk

In order to include an eventtype in a data model node, you need to apply the correct tags to the eventtype. Tags are labels that you can assign to event types to identify them as belonging to a specific category or domain. Tags are used by data models to map event types to data model nodes. For example, if you have an eventtype named windows_performance that contains events related to Windows performance metrics, you can tag it with performance and os. Then, you can include the eventtype in a data model node that matches those tags, such as the Performance node in the Operating System data model12. To apply tags to an eventtype, you can use the Settings > Event types page in Splunk Web, or the eventtypes.conf and tags.conf configuration files3. References = 1: About data models - Splunk Documentation - How data models use tags. 2: Use tags to map event types to data model nodes - Splunk Documentation. 3: About event types - Splunk Documentation - Tag event types.