Question 1

Where is detailed information about identities stored?

Options :

A : The Identity Investigator index.

B : The Access Anomalies collection.

C : The User Activity index.

D : The Identity Lookup CSV file.

Answer: C

Question 2

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

Options :

A : $fieldname$

B : ''fieldname''

C : %fieldname%

D : _fieldname_

Answer: A

Question 3

Where are attachments to investigations stored?

Options :

A : KV Store

B : notable index

C : attachments.csv lookup

D : <splunk_home>/etc/apps/SA-Investigations/default/ui/views/attachments

Answer: A

Question 4

Which settings indicated that the correlation search will be executed as new events are indexed?

Options :

A : Always-On

B : Real-Time

C : Scheduled

D : Continuous

Answer: C

Question 5

Which of these Is a benefit of data normalization?

Options :

A : Reports run faster because normalized data models can be optimized for better performance.

B : Dashboards take longer to build.

C : Searches can be built no matter the specific source technology for a normalized data type.

D : Forwarder-based inputs are more efficient.

Answer: A