Full Access Splunk SPLK-3001 Tutorials

 According to the Splunk Enterprise Security documentation, the Status Configuration window allows you to customize the status values and transitions for notable events. You can define which roles can change the status of a notable event from one value to another, and which roles can view the notable events with a specific status. To restrict the users with the ess_user role from being able to change the status of Resolved notable events to closed, you need to do the following steps:

• On the Enterprise Security menu bar, select Configure > Incident Management > Status Configuration.
• In the Status Configuration window, select the Resolved status from the list of values.
• In the Status Transitions section, find the row for the closed status and click the Edit icon.
• In the Edit Status Transition dialog box, remove the ess_user role from the Roles field and click Save.
• Click Save Changes to apply the changes to the Status Configuration window.

This will prevent the users with the ess_user role from changing the status of any notable event from Resolved to closed. They will still be able to change the status of other notable events to closed, if they have the permission to do so. Therefore, the correct answer is A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status. References = Customize status values and transitions for notable events.

According to the Splunk Add-on Builder documentation, after managing source types and extracting fields, the key step that comes next in the Add-on Builder is to map to data models. Data models are predefined schemas that provide a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the Splunk Common Information Model (CIM) to enable cross-source analysis and correlation of security events. The Add-on Builder helps you to map your data fields to the CIM data models, such as Authentication, Change, Endpoint, and others. You can use the Data Model Mapper tool to select the data models that are relevant to your data source and map the fields accordingly. You can also validate the data model mappings and preview the results. See Map to data models for more details.

The other options are not the correct steps that come next in the Add-on Builder. Validate and package is the last step in the Add-on Builder, where you can check the quality and readiness of your add-on and create a package file for distribution. See Validate and package for more details. Configure data collection is the first step in the Add-on Builder, where you can specify the method and parameters for collecting data from your data source. See Configure data collection for more details. Create alert actions is an optional step in the Add-on Builder, where you can build custom alert actions or adaptive response actions for Splunk Enterprise Security. See [Create alert actions] for more details. Therefore, the correct answer is D. Map to data models. References =

• Map to data models
• Validate and package
• Configure data collection
• [Create alert actions]

Splunk Add-on Builder | Splunkbase3

Splunk Add-on Builder | Splunkbase

Glass tables can display static images and text, the results of ad-hoc searches, and security metrics. Security metrics are visualizations that show the values of KPIs, service health scores, or notable events. You can add security metrics to a glass table by using the Security Metrics menu in the glass table editor. You can also configure the appearance, behavior, and drilldown options of the security metrics. Glass tables cannot display lookup searches, summarized data, or metrics store searches directly, although you can use these types of searches as data sources for ad-hoc searches and then display the results on a glass table. References =

• Add security metrics to a glass table in Splunk Enterprise Security
• Create and manage glass tables in Splunk Enterprise Security

The Auto Deployment feature of Distributed Configuration Management is a tool that allows you to automatically distribute configuration files, such as indexes.conf, to your Splunk platform instances. However, using this feature to distribute indexes.conf can pose a risk of having indexes with different settings across your instances. This can happen if you have manually edited the indexes.conf file on some of your instances, or if you have different versions of Splunk Enterprise Security installed on different instances. If the indexes have different settings, such as retention policies, storage paths, or bucket sizes, this can cause data inconsistency, search inefficiency, or data loss. Therefore, it is recommended to use the Manual Deployment feature of Distributed Configuration Management to review and validate the indexes.conf file before deploying it to your instances12. References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2: Distributed Configuration Management - Splunk Documentation - Manual Deployment.