Splunk Updated SPLK-3001 Exam Questions and Answers by dakota

 According to the Splunk Enterprise Security documentation, the Status Configuration window allows you to customize the status values and transitions for notable events. You can define which roles can change the status of a notable event from one value to another, and which roles can view the notable events with a specific status. To restrict the users with the ess_user role from being able to change the status of Resolved notable events to closed, you need to do the following steps:

• On the Enterprise Security menu bar, select Configure > Incident Management > Status Configuration.
• In the Status Configuration window, select the Resolved status from the list of values.
• In the Status Transitions section, find the row for the closed status and click the Edit icon.
• In the Edit Status Transition dialog box, remove the ess_user role from the Roles field and click Save.
• Click Save Changes to apply the changes to the Status Configuration window.

This will prevent the users with the ess_user role from changing the status of any notable event from Resolved to closed. They will still be able to change the status of other notable events to closed, if they have the permission to do so. Therefore, the correct answer is A. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status. References = Customize status values and transitions for notable events.

 The Risk Analysis dashboard provides tools to analyze the risk scores and risk modifiers of various objects, such as systems, users, hashes, and network artifacts. The dashboard shows the risk score by object, the most active sources of risk, the risk score by category, the risk score over time, and the risk modifiers by object. The dashboard also allows you to create ad hoc risk entries, view the risk details of an object, and export the risk data as a CSV file. The other options, A, B, and D, are not correct. The Risk Analysis dashboard does not provide tools to show high risk threats, notable event domains, or key indicators of correlation searches. These are features of other dashboards in Splunk Enterprise Security, such as the Threat Activity dashboard, the Domain Analysis dashboard, and the Correlation Search Audit dashboard. References =

• Analyze risk in Splunk Enterprise Security
• Risk Analysis dashboard

When creating custom correlation searches, you can use the fieldname format to embed field values in the title, description, and drill-down fields of a notable event. This allows you to customize the notable event with dynamic information from the search results. For example, you can use src to include the source IP address of the event, or user to include the user name of the event1. References = 1: Create a correlation search - Splunk Documentation - Define the notable event.

Attachments to investigations are stored in a KV Store collection named investigation_attachment. KV Store is a feature that stores and manages data as key-value pairs. Splunk Enterprise Security uses KV Store to store investigation information in several collections, such as investigation, investigation_event, investigation_lead, and investigation_attachment. You can view or modify the KV Store collections using the KV Store API endpoint. For details about using the KV Store API endpoint, see KV Store endpoint descriptions in the Splunk Enterprise REST API Reference Manual1. The other options, B, C, and D, are not correct. Attachments to investigations are not stored in the notable index, the attachments.csv lookup, or the /etc/apps/SA-Investigations/default/ui/views/attachments directory. References =

• Manage investigations in Splunk Enterprise Security