Administering Splunk Enterprise Security 5.2 Exam With
Complete Solutions Latest Update
ES User Role - ANSWER Runs real-time searches and views all ES dashboards
ES Analyst - ANSWER Owns notable events and performs notable event status changes
ES Admin - ANSWER Configures ES system-wide, including adding ES users, managing
correlation searches, and adding new data sources, manage lookup tables.
Correlation Searches - ANSWER run in the background
ES ships with many and can be modified
See them under the ES menu > Configure > Content > Content Management
Each looks for one specific type of threat, vulnerability, or sign of attack
Creates a notable event
Can send email, run script, update risk score
Only ES Admins can modify/create new
Where are correlation searches in ES - ANSWER under Configure -> Content
Management
Here is where you find saved searches, Swim Lane Searches, correlation searches, etc.
Are correlation searches run in real time or scheduled - ANSWER either
Correlation searches are written to what index - ANSWER When a correlation search
identifies an event it writes to the index-notable
,Use Case Library - ANSWER Analytic stories which are ready-to-use examples of ES use
cases
Configure -> All Configurations -> Content -> Use Case Library
How many built-in correlation searches are in ES - ANSWER 60, more in use Case
Library
Dashboard that give you an overview of notable events over the last 24 hours? -
ANSWER Security Posture Dashboard built into ES
Domains ES organizes into? - ANSWER Access
Endpoint
Network
Identity
Audit
Threat
Key Indicator - ANSWER Gives a count over the last 24 hours
The difference from the preceding 24 hours
ES Admins can add/remove key indicators and set thresholds.
Incident Review - ANSWER List of all significant events
Urgency - ANSWER Combination of Severity and Priority
Severity - ANSWER Based on the raw event(s) detected by correlation search
Set by administrator to the correlation search
, Priority - ANSWER Assigned to the associated assets or identities
Assigned by the admin
Urgency Table - ANSWER Based off Asset/identity priority and Event severity
Can be modified
Short ID - ANSWER For Notable Event, you could create a unique 6 character code that
has a 1 to 1 with a notable event.
Select Share Event in the event in the Incident Review dashboard under the event menu
on the right dropdown.
Or select Create Short ID within the event info, this option replaces to the Short ID once
done.
To search for short ID, in the Incident Review dashboard, switch the menu from Time to
Associations.
Incident Review Tag - ANSWER You can attach a tag to a field value pair. Then you can
search for that tag in IR and return all incidents having that field value pair with that tag.
IR History - ANSWER Displays changes made to the event
Adaptive Responses These are the actions configured to run when the alert triggers.
Analyst can run additional Adaptive response actions by selecting it under the incident
menu on the right.
Status only means the response was successfully run, not that it worked. Select the
response to see what the results were.
Status Values Out of Box
New
in progress
pending
resolved
Complete Solutions Latest Update
ES User Role - ANSWER Runs real-time searches and views all ES dashboards
ES Analyst - ANSWER Owns notable events and performs notable event status changes
ES Admin - ANSWER Configures ES system-wide, including adding ES users, managing
correlation searches, and adding new data sources, manage lookup tables.
Correlation Searches - ANSWER run in the background
ES ships with many and can be modified
See them under the ES menu > Configure > Content > Content Management
Each looks for one specific type of threat, vulnerability, or sign of attack
Creates a notable event
Can send email, run script, update risk score
Only ES Admins can modify/create new
Where are correlation searches in ES - ANSWER under Configure -> Content
Management
Here is where you find saved searches, Swim Lane Searches, correlation searches, etc.
Are correlation searches run in real time or scheduled - ANSWER either
Correlation searches are written to what index - ANSWER When a correlation search
identifies an event it writes to the index-notable
,Use Case Library - ANSWER Analytic stories which are ready-to-use examples of ES use
cases
Configure -> All Configurations -> Content -> Use Case Library
How many built-in correlation searches are in ES - ANSWER 60, more in use Case
Library
Dashboard that give you an overview of notable events over the last 24 hours? -
ANSWER Security Posture Dashboard built into ES
Domains ES organizes into? - ANSWER Access
Endpoint
Network
Identity
Audit
Threat
Key Indicator - ANSWER Gives a count over the last 24 hours
The difference from the preceding 24 hours
ES Admins can add/remove key indicators and set thresholds.
Incident Review - ANSWER List of all significant events
Urgency - ANSWER Combination of Severity and Priority
Severity - ANSWER Based on the raw event(s) detected by correlation search
Set by administrator to the correlation search
, Priority - ANSWER Assigned to the associated assets or identities
Assigned by the admin
Urgency Table - ANSWER Based off Asset/identity priority and Event severity
Can be modified
Short ID - ANSWER For Notable Event, you could create a unique 6 character code that
has a 1 to 1 with a notable event.
Select Share Event in the event in the Incident Review dashboard under the event menu
on the right dropdown.
Or select Create Short ID within the event info, this option replaces to the Short ID once
done.
To search for short ID, in the Incident Review dashboard, switch the menu from Time to
Associations.
Incident Review Tag - ANSWER You can attach a tag to a field value pair. Then you can
search for that tag in IR and return all incidents having that field value pair with that tag.
IR History - ANSWER Displays changes made to the event
Adaptive Responses These are the actions configured to run when the alert triggers.
Analyst can run additional Adaptive response actions by selecting it under the incident
menu on the right.
Status only means the response was successfully run, not that it worked. Select the
response to see what the results were.
Status Values Out of Box
New
in progress
pending
resolved
