These questions cover Splunk Enterprise Security workflows and add-on development — areas that SPLK-3001 tests at the administrator level, expecting you to know how ES components work together in a SOC environment.
Question 1
A SOC manager wants to automatically distribute incoming notable events to analysts based on their specialty. Which ES feature supports this?
- A) The ES correlation search scheduler, which queues jobs on the ES server
- B) The ES Analyst Queue, which distributes notable events to analysts based on configured rules
- C) Splunk's standard alert manager, which sends notable events via email
- D) The Asset and Identity framework, which routes events based on asset owner
Answer: B — The ES Analyst Queue
The ES Analyst Queue (available in newer versions of Enterprise Security) enables SOC managers to configure automatic distribution rules that assign notable events to specific analysts or analyst groups. Rules can be based on:
- Notable event severity
- Source or destination asset criticality
- Event type or correlation search name
- Analyst workload (round-robin distribution)
This replaces manual triage where a lead analyst assigns events one by one — queuing automates the first step of the incident response workflow.
ES workflow components to know:
| Component | Function |
|---|---|
| Correlation searches | Generate notable events from Splunk data |
| Notable Event index | Stores all notable events and status changes |
| Incident Review | SOC interface for triaging and managing events |
| Analyst Queue | Automated notable event assignment |
| Investigation Workbench | Collaborative investigation interface |
Question 2
An analyst is investigating a suspected intrusion. They need to collaboratively document findings, link related notable events, add artifacts (IPs, hashes), and track investigation status with their team. Which ES feature is designed for this?
- A) A development environment for testing correlation searches
- B) The ES Investigation Workbench — an interactive investigation interface for collaborative analysis
- C) The ES dashboard editor for building custom investigation views
- D) The Asset and Identity framework for building investigation context
Answer: B — The ES Investigation Workbench
The Investigation Workbench is ES's dedicated investigation interface. It allows analysts to:
- Create a named investigation tied to an incident
- Link related notable events, raw events, and artifacts
- Add observables (IP addresses, domains, file hashes, usernames) to the investigation timeline
- Record analyst notes and findings
- Collaborate with other team members with a shared view of the investigation state
- Track investigation status and assign tasks
This is distinct from the standard Incident Review dashboard, which lists notable events for triage but doesn't support the structured investigation and collaboration that Workbench provides.
For SPLK-3001, know that the Workbench is the ES feature for structured incident investigations, while Incident Review is for initial triage and status updates.
</details>Question 3
You are building a custom Technology Add-On (TA) to ingest data from a new log source. Which configuration file defines how raw event data is parsed into fields?
- A)
eventtypes.conf— for classifying events by type - B)
transforms.conf— for field transformation and lookup configuration - C)
props.conf— for source type configuration including field extractions - D)
fields.conf— for declaring fields and their indexed/extracted status
Answer: C — props.conf
props.conf is the primary configuration file for source type settings, including field extraction rules. It ties extraction patterns (defined in transforms.conf) to specific source types, sources, or hosts.
The extraction configuration chain:
# props.conf — ties the extraction to a sourcetype
[my_log_source]
EXTRACT-app_field = app=(?P<app_name>\w+)
# or reference a transforms stanza:
REPORT-fields = my-field-extractions
# transforms.conf — the actual regex
[my-field-extractions]
REGEX = app=(\w+)\s+user=(\w+)
FORMAT = app_name::$1 username::$2
Key Splunk config files for TA development:
| File | Purpose |
|---|---|
props.conf | Source type settings, extraction rules, line breaking |
transforms.conf | Field extraction regex, lookups, masking |
eventtypes.conf | Tag groups of events by search criteria |
tags.conf | Assign CIM tags to eventtypes |
fields.conf | Declare indexed vs extracted fields |
eventtypes.conf classifies events into categories for use in ES and apps — it doesn't extract fields from raw data. fields.conf declares field properties but doesn't define extraction patterns.
Key Takeaways
- ES Analyst Queue automates notable event distribution to analysts; Incident Review is manual triage
- ES Investigation Workbench is for structured, collaborative investigations with linked artifacts and timelines
props.confdefines extraction rules per source type;transforms.confdefines the actual regex patterns — they work together