Exam (elaborations)
Administering Splunk Enterprise Security 5.2 Exam With Complete Solutions Latest Update
- Course
- Institution
Administering Splunk Enterprise Security 5.2 Exam With Complete Solutions Latest Update...
[Show more]
Content preview
Administering Splunk Enterprise Security 5.2 Exam WithComplete Solutions Latest Update
ES User Role - ANSWER Runs real-time searches and views all ES dashboards
ES Analyst - ANSWER Owns notable events and performs notable event status changes
ES Admin - ANSWER Configures ES system-wide, including adding ES users, managing
correlation searches, and adding new data sources, manage lookup tables.
Correlation Searches - ANSWER run in the background
ES ships with many and can be modified
See them under the ES menu > Configure > Content > Content Management
Each looks for one specific type of threat, vulnerability, or sign of attack
Creates a notable event
Can send email, run script, update risk score
Only ES Admins can modify/create new
Where are correlation searches in ES - ANSWER under Configure -> Content
Management
Here is where you find saved searches, Swim Lane Searches, correlation searches, etc.
Are correlation searches run in real time or scheduled - ANSWER either
Correlation searches are written to what index - ANSWER When a correlation search
identifies an event it writes to the index-notable
,Use Case Library - ANSWER Analytic stories which are ready-to-use examples of ES use
cases
Configure -> All Configurations -> Content -> Use Case Library
How many built-in correlation searches are in ES - ANSWER 60, more in use Case
Library
Dashboard that give you an overview of notable events over the last 24 hours? -
ANSWER Security Posture Dashboard built into ES
Domains ES organizes into? - ANSWER Access
Endpoint
Network
Identity
Audit
Threat
Key Indicator - ANSWER Gives a count over the last 24 hours
The difference from the preceding 24 hours
ES Admins can add/remove key indicators and set thresholds.
Incident Review - ANSWER List of all significant events
Urgency - ANSWER Combination of Severity and Priority
Severity - ANSWER Based on the raw event(s) detected by correlation search
Set by administrator to the correlation search
, Priority - ANSWER Assigned to the associated assets or identities
Assigned by the admin
Urgency Table - ANSWER Based off Asset/identity priority and Event severity
Can be modified
Short ID - ANSWER For Notable Event, you could create a unique 6 character code that
has a 1 to 1 with a notable event.
Select Share Event in the event in the Incident Review dashboard under the event menu
on the right dropdown.
Or select Create Short ID within the event info, this option replaces to the Short ID once
done.
To search for short ID, in the Incident Review dashboard, switch the menu from Time to
Associations.
Incident Review Tag - ANSWER You can attach a tag to a field value pair. Then you can
search for that tag in IR and return all incidents having that field value pair with that tag.
IR History - ANSWER Displays changes made to the event
Adaptive Responses These are the actions configured to run when the alert triggers.
Analyst can run additional Adaptive response actions by selecting it under the incident
menu on the right.
Status only means the response was successfully run, not that it worked. Select the
response to see what the results were.
Status Values Out of Box
New
in progress
pending
resolved
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Braxton. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $13.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
75632 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now