Splunk Assessment 2

1. 1. What command is commonly used in RQ Correlation Searches?
2. - By clause
3. - SPL
4. - Datamodel command
5. - Tstats
6.  
7. 2. Which page allows you to triage notable events?
8.  
9. 3. What are ES alerts called?
10. - Offenses
11. - Correlation Searches
12. - Notable Event
13. - Incident
14.  
15. 4. What is a hierarchically structured mapping of one or more similar datasets.
16. - Identities
17. - Data Model
18. - Assets
19. - Table Command
20.  
21. 5. What must you have a good understanding of ___________________ before you can understand the Tstats command?
22. - Where Clause
23. - Datamodel Commands
24. - By Clause
25. - Data Models
26.  
27. 6. Which index holds notable events?
28.  
29. 7. What is generated when the conditions of a Correlation Search are met?
30. - Notable Event
31. - Alert
32. - Incident Event
33. - Channel
34.  
35. 8. Name the 3 commands that Splunk uses to search data models?
36. - Tstats
37. - Assets
38. - Count
39. - Identities
40. - Pivot
41. - Sort
42. - Datamodels
43.  
44. 9. Which app do the default data models come with?
45. - CIM (Common Information Model)
46. - VirusTotal
47. - RQAware
48. - XForce
49.  
50. 10. Data models only exist within the Enterprise Security app.
51.  
52. 11. Tstats will show raw events in addition to formatted results.
53.  
54. 12. Name 4 data models commonly used within RQ content.
55.  
56. 13. What is wrong with the following SPL?
57.  
58. | tstats values(All_Traffic.dest_ip) as dest_ip
59. from datamodel=Network_Traffic.All_Traffic
60. where nodename=All_Traffic.Allowed_Traffic
61. by _time, All_Traffic.src_ip, span=1h
62.  
63. 14. Rebuild the Following SPL to retrieve ONLY a count for Failed Default Authentications:
64.  
65. | tstats count
66. from datamodel=Authentication.Authentication
67. by sourcetype
68.  
69. 15. What is the name of the macro that will remove the data model prefix from a field name?