Splunk ES Admin4

Ace your homework & exams now with Quizwiz!

Advantages of Risk-Based Alerting?

- Address alert fatigue - Improve detection of sophisticated threats like low-and-slow attacks that traditional SIEMs miss - Align with cybersecurity frameworks like MITRE, Kill Chain, CIS, and NIST - Scale analyst resources to optimize SOC productivity and efficiency

CLI to test integrity of data?

./splunk check-integrity -index <indexname>

What are the steps of the installation checklist?

1. Confirm the environment meets the min system requirements for Splunk Enterprise and ES 2. Increase the Splunk Web upload size limit in web.conf 3. Install ES app on search head 4. Install any required TA's 5. Create Splunk_TA_ForIndexers and deploy to indexers 6. Deploy input-time technical add-ons to forwarders

Steps for ES Data Flow

1. Data is input from it source, indexed into events and sourcetype is applied 2. TA's apply normalization configurations based on the source types that assign the events to data model 3. The DM events are accelerated and placed into accelerated storage, with retention periods up to 1 year 4. Most ES correlation searches and dashboard searches are based on accelerated DM events

Steps for Initial Data Verification

1. Make a list of all sourcetypes required by ES 2. Map the sourcetype to the TA that normalizes it 3. Confirm that the correct sourcetype name is being used (TA docs) 4. Install additional TA's if needed 5. Verify that normalization is happening (i.e. make sure the sourcetype is appearing in the correct DM)

Steps to install ES on Deployer?

1. On the Splunk toolbar, select Apps > Manage Apps and click install app from file 2. Click Choose File and select the ES file 3. Click Upload 4. Click Continue to app setup page 5. Click Start Configuration Process 6. Use the Deployer to deploy ES to the search head cluster members > From Deployer run 'splunk apply shcluster-bundle'

What are the 2 out-of-the-box Risk Incident Rules?

ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 days - creates a notable when the # of MITRE attacks exceeds 3 over timeframe Risk Threshold Exceeded for Object Over 24 Hour Period - created notable when the risk score for an object exceeds 100 over the timeframe

______ are a list of actions to take, including possibly creating a notable event of setting risk... - ______ determine severity, default owner, default status, etc... - ______ assigning, increasing, or decreasing the risk score for a given type of threat or incident...

Adaptive Responses Notable event settings Risk

___ and ____ can be given the Edit Intelligence Downloads permission to manage threat intelligence downloads...

Analysts and users

Use _____ to enrich correlation search results with the context from industry-standard mappings

Annotations

_______ are used as field labels in the Risk Analysis dashboard

Annotations

The ______ table lists all configured asset lookups...

Asset lookups

What is the calc for Urgency?

Asset/Identity Priority + Event Sev = Urgency

ES uses ___ data models...

CIM

____ operations maintain the attributes defined in the lookups...

CRUD (create, read, update, and delete)

_____ leverages MLTK functions. (such as mltk_apply_upper macro)...

Conceptual Thresholds

________ Searches run continually in the background looking for known types of threats and vuls

Correlation

How to increase the upload size in web.conf?

Create the $SPLUNK_HOME/etc/system/local/web.conf file and add the below stanza [settings] max_upload_size = 1024

_____ determines which data models are using the most storage or processor time...

Data Model Audit

__________ displays status for sensitive data if the _________ correlation search is enabled...

Data Protection Audit, Personally Identifiable Information Detected

By default, _____ are tasked with managing ES threat intelligence...

ES Admin

By default, only _________ have the ability to suppress notable events

ES Admins

By default, which role can enable, disable, clone, modify, or add new correlation searches?

ES Admins

______ is any search or view that can be shared and used between multiple ES sites...

ES Managed Content

Standard Splunk Roles vs ES Roles (required for ES login) User --> ____________ Power --> ____________ Admin --> _____________

ES User (ess_user) - Run real-time searches and views all ES dashboards/ SHOULD NOT BE ADDED TO ES ADMIN ROLE ES Analyst (ess_analyst) - Owns notable events and performs notable event status changes ES Admin (ess_admin) - Configures ES system-wide, including adding ES users, managing correlation searches and adding new data sources

How ES verifies the following in SA-IdentityManagement each time the identity manager run (every 5 mins) _____ automatic lookups that are defined in props.conf... _____ macros that read from the CSV files into the KV Store collections... _____ transform.conf defines the .csv filenames and settings like case sensitive matching... _____ collection replication settings defined in collections.conf... _____ IdentityLookup conventions...

Enforce props Enforce macros Enforce transforms Enforce replicate Enforce identityLookup

| tstats searches with summariesonly = f search accelerated data? [t/f]

False - summariesonly = t will restrict searches to accelerated data

_____ ensures hosts are properly forwarding data to Splunk, detects forwarders that have failed, and can be set to monitor all hosts or only host as configured in is_expected in the ES Assets lookup table...

Forwarder Audit

The ____ tab has the same features as the Asset Lookups configuration tab...

Identity Lookups

Which dashboard is used to inspect and manage incidents?

Incident Review

___ gives you a summary of event indexes per day (EPD)...

Indexing Audit

Which dashboard gives insight into investigations?

Investigation Overview Dashboard

Asset and Identity lookups are stored as ____

KV Store collections

After download, threat intel data is stored where?

KV store collections with the "_intel" suffix

The ________ at the top of the Security Posture dashboard, provide an at-a-glance view of notable event status over the last 24 hours

Key Indicators (KI)

What are the parts of this MLTK macro? | `mltk_apply_upper("app:failures_by_src_count_1h", "high", "failure")`

Macro Args - model Name of the model for applying data and comparing against standards to find outliers (app:failures_by_src_count_1h) -Qualitative_id Default IDs that correspond to % of deviation, representing where on the distribution curve to look for outliers. ("high" (or "medium" or "low")) -field Where to search for, or count outliers ("failure")

What are the ES Required Add-ons (distributed with ES installer and only required to be on search heads)?

Main ES App - SplunkEnterpriseSecuritySuite Domain add-ons - DA-ESS-AccessProtection - DA-ESS-EndpointProtection - DA-ESS-IdentityManagement - DA-ESS-NetworkProtection - DA-ESS-ThreatIntelligence Supporting add-ons - SA-AccessProtection - SA-AuditAndDataProtection - SA-EndpointProtection - SA-IdentityManagement - SA-NetworkProtection - SA-ThreatIntelligence - SA-UEBA - SA-Utils - Splunk_SA_CIM - Splunk_ML_Toolkit

____ converts non-standard field names and vals into a uniform set of standardized fields within a DM...

Normalization

By default, what will ES users see on the Investigations Overview Dashboard? What will ES analysts see?

Nothing for users, analysts will only see investigations they created

____ are simple numeric comparisons (uses where command)...

Numeric Thresholds

How is data processed by ES?

Raw Events are Indexed [data is generated and forwarded to Splunk]> Data Model Summary Searches Run [CIM DM normalization is applied]> Data is available for ES [| tstats queries and dashboards can use data]> ES Background Searches (content) Process Data [Correlation searches, trackers, and threat intel search data models]> ES Searches for Threats and Anomalies [ES created notable events]

Risk Rules are any correlation search that has the _______ adaptive response action configured

Risk Analysis

Use ____________ to specify conditions to dynamically adjust risk scores for specific objects

Risk Factors

_________ help the risk score to be more precise based on threat

Risk Factors

____________ are correlation searches that run against the risk index

Risk Incident Rules

Risk Incident Rules create ___________

Risk Notables

The default _________ are system, user, and other

Risk Objects

_________ feed results (risk attributions) in the risk index

Risk Rules

The ______ data model is the data source for the panels on the Risk Analysis dashboard

Risk data model

__________ simplify the threat investigation process by helping prioritize suspicious behavior

Risk scores

_____ is the supporting add-on that maintains macros, lookup, knowledge objects, etc...

SA-IdentityManagement

____ and ____ determine how often to run the search and how often to generate notable events for the same type of incidents...

Scheduling and Throttling

Where should the ES app get installed?

Search head

Where should the TA's get installed?

Search heads and on forwarders if they do input phase actions

Which dashboard provides a cross-domain SOC overview?

Security Posture

____ is a fast way to build out an initial TA, and can be used to create sourcetypes, extractions, and data model mapping(s)...

Splunk Add-on Builder

_________ is a separate solution that extends your ability to detect insider threats...

Splunk User Behavior Analytics (UBA)

What should be installed on indexers and heavy forwarders?

Splunk_TA_ForIndexers

What 3 components is ES comprised of?

Tech Add-ons (TA) (input, normalization) Domain Add-ons (DA) (views, UI components) Supporting Add-ons (SA) (searches, macros, data models, utilities)

Where is security-related data acquired from in the enterprise?

Tech add-ons

The data model is scanned by the ____ correlation search and new notables for threat activity are created...

Threat Activity Detected

Use the ____ dashboard to examine the overall contents of the entire threat intelligence framework...

Threat Artifacts

Threat intel is downloaded regularly from external and internal sources by the _____ modular input...

Threat Download Manager

What comprises the Threat Intelligence Framework?

Threat Download Manager Threat Gen Threat Activity Detected

____ searches run by default every 5 mins and scan for threat activity related to any of the threat collections...

Threat Gen

____ is the criteria that causes a correlation search to trigger...

Threshold

The ________ correlation search prepares a list of all notable events in new status or unassigned owner in the last 48 hours...

Untriaged Notable Events

Every notable event has an ___________ field, ranging from Unknown to Critical. What two factors comprise this field?

Urgency : 1. Severity - based on the sev added to the notable event by the correlation search & 2. Priority - assigned to the associated assets or identities (if more than 1 asset/identity is involved in a single notable event, the one with higher priority determine urgancy)

How to examine Data Model Contents?

Use datamodel cmd to examine sourcetypes contained in the DM Example: | datamodel Network_Traffic All_Traffic search | stats count by sourcetype

How to retrieve information from the incident_review KV store collection?

Use the `incident_review` macro |`incident_review` | search comment = "*...text...*"

Data models are _____ not containers...

conceptual maps

Use the _____ to determine the data model(s) and field names the dashboard requires...

dashboard requirements matrix docs.splunk.com/Documentation/ES/latest/User/DashboardMatrix

An ES Admin can enable _________ to ensure that the data ES relies on in the indexes in not tampered with...

data integrity control

By default, only the ______ role can edit ES navigation...

ess_admin

______ can manage all investigations

ess_admin

By default, only ____ and ____ roles have permission to start investigations

ess_admin and ess_analyst

By default, the __________ and __________ roles have the capability to create notable events. Other roles can be given the ____________________ permission.

ess_admin, ess_analyst, Create New Notable Events

_____ can only manage investigations they have created

ess_analyst

All add-ons and apps require you to restart Splunk [t/f]?

f

ess_user can view investigations by default [t/f]?

f

Notable events are created with _________, __________, and _______ that provide info necessary for incident investigation and link to original source events

fields, event types, tags

What is the Splunkbase URL?

https://splunkbase.splunk.com

When a notable event is assigned to an analyst, it is referred to as an ______

incident

All incident review status changes and comments are stored in the _____ collection...

incident_review KV Store collection

When a correlation search detects any IoC's, ES creates an alert called a _________

notable event

Correlation searches create __________ in the _________ index

notable events, notable

An investigation has an _____ and any number of ______

owner, collaborators

By default, all correlation searches run in _____ mode...

real-time

Correlation Searches can be run in either _______ or ________

real-time, on a schedule

ES runs ________ and with ________ searches on accelerated Data Model data...

real-time, scheduled searches

A ____________ is a single metric that shows the relative risk of an object (system, user, or other) in the network over time

risk score

Where is the Risk Factor configuration stored?

risk_factors.conf file in SA-ThreatIntelligence app

Where are annotations stored?

savedsearches.conf under action.correlationsearch.annotations

Normalization is a _____ process based on event source types...

search-time

How can you clear data from the incident review KV store?

| inputlookup incident_review_lookup | eval age = (now() - time)/86400 | search age < 30 | fields - age | outputlookup incident_review_lookup append = f Use splunk clean cmd to completely clear out the incident review collection (splunk must be running): 'splunk clean kvstore -app SA-ThreatIntelligence -collection incident_review


Related study sets

Forensic Science chapters 11 and 17

View Set

Software Test 2 - Testing Conventional Applications

View Set

computer literacy chapter 9 help desk and sound bytes

View Set

Insurance licensing exam- Chapter 1

View Set

Central Venous Access Devices and Management

View Set