SPLK-3001 Splunk Enterprise Security Certified Admin Exam

Posted by

A Splunk Certified Enterprise Security Admin manages a Splunk Enterprise Security environment, including ES event processing and normalization, deployment requirements, technology add-ons, settings, risk analysis settings, threat intelligence and protocol intelligence configuration, and customizations. This certification demonstrates an individual’s ability to install, configure, and manage a Splunk Enterprise Security deployment.

Please note: There are two approved coursework paths for this certification track. Candidates may complete either Splunk Enterprise System Administration and Splunk Enterprise Data Administration or Splunk Cloud Administration as part of this certification track. All courses are linked below for reference. These prerequisite courses are highly recommended, but not required for candidates to register for the certification exam.

Splunk Enterprise System Administration
This 2 virtual day course is designed for system administrators who manage a Splunk Enterprise environment. Topics include Splunk license manager, indexers and search heads, configuration, management, and monitoring.
Splunk Enterprise Data Administration

This 3 virtual day course is for data administrators who are responsible for getting data into Splunk. The course provides content about Splunk forwarders and methods to get remote data into Splunk.
Splunk Cloud Administration

This 3 virtual day course prepares administrators to manage users and get data in to Splunk Cloud. Topics include data inputs and forwarder configuration, data management, user accounts, and basic monitoring.
Administering the Splunk App for Enterprise Security

This 3 virtual day course prepares architects and systems administrators to install, configure and manage the Splunk App for Enterprise Security.
opendevelopmentplatform

CERTIFICATION EXAM

It’s time to put your knowledge to the test.

Our Exam Registration Tutorial will guide you through the registration process and the Splunk Certification Exams Study Guide will guide your study efforts.

Good luck!
Course Objectives

Module 1 -Introduction to Data Administration

Splunk overview
Identify Splunk data administrator role

Module 2 – Getting Data In – Staging

List the four phases of Splunk Index
List Splunk input options
Describe the band settings for an input

Module 3 – Configuring Forwarders

Understand the role of production Indexers and Forwarders
Understand the functionality of Universal Forwarders and Heavy Forwarders
ConfigureForwarders
Identify additional Forwarder options

Module 4 – Forwarder Management

Explain the use of Forwarder Management
Describe Splunk Deployment Server
Manage forwarders using deployment apps
Configure deployment clients
Configure client groups
Monitor forwarder management activities

Module 5 – Monitor Inputs

Create file and directory monitor inputs
Use optional settings for monitor inputs
Deploy a remote monitor input

Module 6 – Network and Scripted Inputs

Create network (TCP and UDP) inputs
Describe optional settings for network inputs
Create a basic scripted input

Module 7 – Agentless Inputs

Identify Windows input types and uses
Understand additional options to get data into Splunk
HTTP Event Collector
Splunk App for Stream

Module 8 – Fine Tuning Inputs

Understand the default processing that occurs during input phase
Configure input phase options, such as sourcetype fine-tuning and character set encoding

Module 9 – Parsing Phase and Data

Understand the default processing that occurs during parsing
Optimize and configure event line breaking
Explain how timestamps and time zones are extracted or assigned to events
Use Data Preview to validate event creation during the parsing phase

Module 10 – Manipulating Raw Data

Explain how data transformations are defined and invoked
Use transformations with props.conf and transforms.conf to:
Mask or delete raw data as it is being indexed
Override sourcetype or host based upon event values
Route events to specific indexes based on event content
Prevent unwanted events from being indexed
Use SEDCMD to modify raw data

Module 11 – Supporting Knowledge Objects

Create field extractions
Configure collections for KV Store
Manage Knowledge Object permissions
Control automatic field extraction

Module 12 – Creating a Diag

Identify Splunk diag
Using Splunk diag


Course Objectives

Module 1 – Splunk Cloud Overview

Describe Cloud topology
Describe tasks managed by the Splunk cloud administrator
List the primary differences between Splunk Cloud and Splunk Enterprise

Module 2 – Index Management

Define a Splunk Index
Create indexes in cloud
Delete data from an index
Monitor indexing activities

Module 3 – User Authentication and Authorization

Administer Splunk user roles
Integrate Splunk with LDAP, Active Directory, or SAML
Enable Duo security Multi Factor Authentication (MFA)

Module 4 – Getting Data in

List Splunk input options
Describe the basic settings for an input
Review Splunk configuration files
Use a test environment to verify data

Module 5 – Getting Data in Cloud

List Splunk forwarder types
Describe the role of forwarders
Configure a forwarder to Splunk Cloud
Test the forwarder connection
Describe optional forwarder settings

Module 6 – Forwarder Management

Describe Splunk Deployment Server
Explain the use of forwarder management
Configure forwarders to be deployment clients
Managing forwarders using deployment apps

Module 7 – Monitor Inputs

Describe the Splunk process for inputting data
Create file and directory monitor inputs
Use optional settings for monitor inputs

Module 8 – Network and Other Inputs

Create network (TCP and UDP) inputs
Create a basic scripted input
Describe optional settings for network inputs
Identify Windows input types and uses
Use the HTTP Event Collector (HEC) to get data into Splunk

Module 9 – Fine-tuning Inputs

Describe the default processing that occurs during the input phase
Configure input phase options, such as sourcetype fine-tuning and character set encoding

Module 10 – Parsing Phase and Data Preview

Describe the default processing that occurs during parsing
Optimize and configure event line breaking
Explain how timestamps and time zones are extracted or assigned to events
Use Data Preview to validate event creation during the parsing phase

Module 11 – Manipulating Raw Data

Explain how data transformations are defined and invoked
Use transformations with props.conf and transforms.conf to modify raw data
Use SECCMD to modify raw data

Module 12 – Installing and Managing Apps

Describe self-service app installs vs. manual app installs
Provide steps to install apps
Describe how apps are managed

Module 13 – Working with Splunk Cloud Support

Isolate problems before contacting Splunk Cloud Support
Define the process for working with Splunk Cloud Support

Course Objectives

Module 1 – ES Introduction

Overview of ES features and concepts

Module 2 – Monitoring and Investigation

Security Posture
Incident Review
Notable events management

Module 3 – Security Intelligence

Overview of security intel tools

Module 4 – Forensics, Glass Tables and Navigation Control

Explore forensics dashboards
Examine glass tables
Configure navigation and dashboard permissions

Module 5 – ES Deployment

Identify deployment topologies
Examine the deployment checklist
Understand indexing strategy for ES
Understand ES Data Models

Module 6 – Installation and Configuration

Prepare a Splunk environment for installation
Download and install ES on a search head
Test a new install
Understand ES Splunk user accounts and roles
Post-install configuration tasks

Module 7 – Validating ES Data

Plan ES inputs
Configure technology add-ons

Module 8 – Custom Add-ons

Design a new add-on for custom data
Use the Add-on Builder to build a new add-on

Module 9 – Tuning Correlation Searches

Configure correlation search scheduling and sensitivity
Tune ES correlation searches

Module 10 – Creating Correlation Searches

Create a custom correlation search
Configuring adaptive responses
Search export/import

Module 11 – Lookups and Identity Management

Identify ES-specific lookups
Understand and configure lookup lists

Module 12 – Threat Intelligence Framework

Understand and configure threat intelligence
Configure user activity analysis


QUESTION 1
The Add-On Builder creates Splunk Apps that start with what?

A. DAB.
B. SAC.
C .TAD.
D. App-

Correct Answer: C

QUESTION 2
Which of the following are examples of sources for events in the endpoint security domain dashboards?

A. REST API invocations.
B. Investigation final results status.
C. Workstations, notebooks, and point-of-sale systems.
D. Lifecycle auditing of incidents, from assignment to resolution.

Correct Answer: D

QUESTION 3
When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

A. $fieldname$
B. “fieldname”
C. %fieldname%
D. _fieldname_

Correct Answer: C
 

Actualkey SPLK-3001 Splunk Enterprise, Certkingdom SPLK-3001 Splunk Enterprise PDF

MCTS Training, MCITP Trainnig

Best SPLK-3001 Splunk Enterprise Certification, SPLK-3001 Splunk Enterprise Training at certkingdom.com

Click to rate this post!
[Total: 0 Average: 0]