Splunk Enterprise Security With Complete
Solutions Latest Update
What is the Enterprise Security Flow?` - ANS 1. Raw Events indexed
2. Data model Summary Searches Run
3. Data available for ES | tstats
4. ES background searches (content) Process data
5. ES Searches Threats and anomalies
How is the security-related data required for ES collected? - ANS Through third-party
add-ons in your enterprise from servers, routers, etc.Then forward the data to splunk
What does ES heavily relies on? - ANSWER Accelerated Data Models
What model does ES uses to normalize the data? - ANSWER Es uses the Common
Information Model -CIM
What do the ES data models portray? - ANSWER Normalized data
How would you search the accelerated data? - ANSWER use | tstats searches with
summariesonly = true to search accelerated data.
|tstats summariesonly=t will do what? - ANSWER Restrict the search results to
accelerated data
How does ES run? - ANSWER Es runs real-time and with scheduled searches on
accelerated Data model data looking for threats, vulnerabilities or attacks.
, What are correlation searches? - ANSWER A search that runs continually in the
background looking for known types of threats and vulnerabilities
What is IOC? - ANSWER Indicator of Compromise
When any IOC is detected by a correlation search it - ANSWER ES raises an adaptive
response, a very common adaptive response is a notable event incident
What does the Security Posture dashboard provide? - ANSWER a cross-domain SOC
overview
What does the Incident Review dashboard provide? - ANSWER used to inspect and
manage incidents
How do correlation searches run? - ANSWER Either in real-time or on a schedule
What are common Adaptive responses (AR)? -ANSWER notable event, sending email,
running a script, and updating a risk score
Who can enable, disable, clone, modify or add a new correlation search? -ANSWER By
default, only ES admins have this capability
Correlation searches create notable events and place them in them where? -ANSWER In
the notable index
What do Notable Events include? -ANSWER they include fields, event types, and tags
that provide information to investigate
What field in the Notable Event shows the correlation search that created the Notable
Event? - ANSWER source
Solutions Latest Update
What is the Enterprise Security Flow?` - ANS 1. Raw Events indexed
2. Data model Summary Searches Run
3. Data available for ES | tstats
4. ES background searches (content) Process data
5. ES Searches Threats and anomalies
How is the security-related data required for ES collected? - ANS Through third-party
add-ons in your enterprise from servers, routers, etc.Then forward the data to splunk
What does ES heavily relies on? - ANSWER Accelerated Data Models
What model does ES uses to normalize the data? - ANSWER Es uses the Common
Information Model -CIM
What do the ES data models portray? - ANSWER Normalized data
How would you search the accelerated data? - ANSWER use | tstats searches with
summariesonly = true to search accelerated data.
|tstats summariesonly=t will do what? - ANSWER Restrict the search results to
accelerated data
How does ES run? - ANSWER Es runs real-time and with scheduled searches on
accelerated Data model data looking for threats, vulnerabilities or attacks.
, What are correlation searches? - ANSWER A search that runs continually in the
background looking for known types of threats and vulnerabilities
What is IOC? - ANSWER Indicator of Compromise
When any IOC is detected by a correlation search it - ANSWER ES raises an adaptive
response, a very common adaptive response is a notable event incident
What does the Security Posture dashboard provide? - ANSWER a cross-domain SOC
overview
What does the Incident Review dashboard provide? - ANSWER used to inspect and
manage incidents
How do correlation searches run? - ANSWER Either in real-time or on a schedule
What are common Adaptive responses (AR)? -ANSWER notable event, sending email,
running a script, and updating a risk score
Who can enable, disable, clone, modify or add a new correlation search? -ANSWER By
default, only ES admins have this capability
Correlation searches create notable events and place them in them where? -ANSWER In
the notable index
What do Notable Events include? -ANSWER they include fields, event types, and tags
that provide information to investigate
What field in the Notable Event shows the correlation search that created the Notable
Event? - ANSWER source
