Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1. What command is commonly used in RQ Correlation Searches?
- - By clause
- - SPL
- - Datamodel command
- - Tstats
- 2. Which page allows you to triage notable events?
- 3. What are ES alerts called?
- - Offenses
- - Correlation Searches
- - Notable Event
- - Incident
- 4. What is a hierarchically structured mapping of one or more similar datasets.
- - Identities
- - Data Model
- - Assets
- - Table Command
- 5. What must you have a good understanding of ___________________ before you can understand the Tstats command?
- - Where Clause
- - Datamodel Commands
- - By Clause
- - Data Models
- 6. Which index holds notable events?
- 7. What is generated when the conditions of a Correlation Search are met?
- - Notable Event
- - Alert
- - Incident Event
- - Channel
- 8. Name the 3 commands that Splunk uses to search data models?
- - Tstats
- - Assets
- - Count
- - Identities
- - Pivot
- - Sort
- - Datamodels
- 9. Which app do the default data models come with?
- - CIM (Common Information Model)
- - VirusTotal
- - RQAware
- - XForce
- 10. Data models only exist within the Enterprise Security app.
- 11. Tstats will show raw events in addition to formatted results.
- 12. Name 4 data models commonly used within RQ content.
- 13. What is wrong with the following SPL?
- | tstats values(All_Traffic.dest_ip) as dest_ip
- from datamodel=Network_Traffic.All_Traffic
- where nodename=All_Traffic.Allowed_Traffic
- by _time, All_Traffic.src_ip, span=1h
- 14. Rebuild the Following SPL to retrieve ONLY a count for Failed Default Authentications:
- | tstats count
- from datamodel=Authentication.Authentication
- by sourcetype
- 15. What is the name of the macro that will remove the data model prefix from a field name?
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement