SPLK-3001 Exam Dumps - Splunk Enterprise Security Certified Admin Exam

The setting that is used in indexes.conf to specify alternate locations for accelerated storage is tstatsHomePath. Accelerated storage is the location where Splunk Enterprise stores the summary data for accelerated data models and reports. By default, acceleration storage is allocated in the same location as the index containing the raw events being accelerated. However, if you need to specify alternate locations for your accelerated storage, you can use the tstatsHomePath setting in indexes.conf. This setting allows you to define a different path for the summary data, which can improve the performance and efficiency of the data model acceleration. For example, you can set the tstatsHomePath to a faster disk or a different volume than the index homePath12. References = 1: Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list. 2: indexes.conf - Splunk Documentation - tstatsHomePath.

When investigating an incident in Splunk Enterprise Security, the best way to store a newly-found IOC (indicator of compromise) is to click the “Add Artifact” button. This button allows you to add an artifact to the current investigation from any dashboard or search result. An artifact is a piece of machine data that indicates risk, such as an IP address, a domain name, a file hash, or a user name. By adding an artifact to the investigation, you can enrich the context of the incident, track the artifact across multiple data sources, and share the artifact with other analysts. You can also use the artifact to create a threat intelligence indicator, which can be used to detect and alert on future threats12. References = 1: Add artifacts to an investigation - Splunk Documentation. 2: About investigations in Splunk Enterprise Security - Splunk Documentation.

To navigate to the ES graphical Navigation Bar editor, you need to click the Configure menu in the ES app bar, then select General, and then select Navigation. The Navigation page allows you to customize the navigation bar of the ES app by adding, removing, or reordering the menu items. You can also edit the labels, icons, and links of the menu items. You can use the graphical editor to drag and drop the menu items, or you can edit the navigation XML directly. For more information, see Customize the navigation bar in Splunk Enterprise Security1. The other options, A, C, and D, are not correct. There is no Navigation Menu option under the Configure menu. The Settings menu does not allow you to edit the navigation bar of the ES app. The Settings menu only allows you to edit the navigation menus of the Splunk platform, such as the app launcher and the user menu. References =

• Customize the navigation bar in Splunk Enterprise Security

Design navigation graphs | Android Developers1

Design navigation graphs | Android Developers

 According to the Splunk Enterprise Security documentation, the default ports that must be configured for Splunk Enterprise Security to function are the following:

• SplunkWeb (8000): This port provides the socket for Splunk Web, the web interface for Splunk Enterprise Security. It allows you to access the dashboards, reports, alerts, and other features of Splunk Enterprise Security from your browser. You can change this port in the web.conf file or by using the splunk set web-port command.
• Splunk Management (8089): This port is used to communicate with the splunkd daemon, the main process that runs Splunk Enterprise Security. Splunk Web talks to splunkd on this port, as does the command line interface, and any distributed connections from other servers. This port also provides the REST API endpoint for Splunk Enterprise Security. You can change this port in the server.conf file or by using the splunk set splunkd-port command.
• KV Store (8191): This port is used by the KV Store, a MongoDB-based service that stores key-value pairs of data for Splunk Enterprise Security. The KV Store is used to store and manage data for various features of Splunk Enterprise Security, such as asset and identity correlation, threat intelligence, adaptive response, and investigations. You can change this port in the server.conf file.

Therefore, the correct answer is C. SplunkWeb (8000), Splunk Management (8089), KV Store (8191). References =

• Change default values
• KV Store overview

 The correct way to add a new lookup through the ES app is to upload the lookup file using Configure > Content Management > Create New Content > Managed Lookup. This allows the user to create or select an existing lookup file and definition, specify the lookup type, label, and description, and enable editing of the lookup file. This also stores the lookup file at the application level, which makes it easier to edit and share. The other options are either incorrect or not recommended for ES. Uploading the lookup file in Settings > Lookups > Lookup table files does not create a lookup definition or a label and description for the lookup. Uploading the lookup file in Settings > Lookups > Lookup Definitions does not upload the lookup file itself, but only creates a definition for an existing file. Adding the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups requires manual editing of the file system and is not recommended for ES. References =

• Create and manage lookups in Splunk Enterprise Security