Glass tables can display static images and text, the results of ad-hoc searches, and security metrics. Security metrics are visualizations that show the values of KPIs, service health scores, or notable events. You can add security metrics to a glass table by using the Security Metrics menu in the glass table editor. You can also configure the appearance, behavior, and drilldown options of the security metrics. Glass tables cannot display lookup searches, summarized data, or metrics store searches directly, although you can use these types of searches as data sources for ad-hoc searches and then display the results on a glass table. References =

Add security metrics to a glass table in Splunk Enterprise Security

Create and manage glass tables in Splunk Enterprise Security

By default, the CIM data models search all indexes in Splunk Enterprise Security. This means that any event that matches the tags and fields of a data model can be included in the data model, regardless of the index where it is stored. However, this can also affect the performance and efficiency of the data model searches, especially if there are many indexes that do not contain relevant data for the data model. Therefore, it is recommended to use the indexes allow list setting in the CIM add-on to constrain the indexes that each data model searches. The indexes allow list is a comma-separated list of indexes that you want to include in the data model search. You can specify index names or index macros.  For example, you can set the indexes allow list for the Authentication data model to  index=main, index=security, index=auth  to limit the search to only those three indexes 1 2 .  References  =  1 : Managing data models in Enterprise Security - Splunk Lantern - Indexes allow list.  2 : Overview of the Splunk Common Information Model - Splunk Documentation - Why the CIM exists.

Threat intel is the lookup type in Enterprise Security that contains information about known hostile IP addresses, as well as other indicators of compromise (IOCs) such as domains, URLs, hashes, and email addresses. Threat intel is collected from various sources, such as Splunk Enterprise Security, Splunk Add-on for Enterprise Security, Splunk Enterprise Security Content Update, and third-party threat intelligence providers. Threat intel is used to enrich events and generate notable events when a match is found between an IOC and an event field. You can view and manage the threat intel sources and lookups in Enterprise Security using the Threat Intelligence framework. References =

Threat Intelligence framework in Splunk ES

Threat Intelligence overview

According to the Splunk Enterprise Security documentation, when using the Distributed Configuration Management tool to create the Splunk_TA_ForIndexers package, you can include the following three files:

indexes.conf: This file defines the indexes that are used by Splunk Enterprise Security, such as main, summary, and notable. It also specifies the index settings, such as retention policy, replication factor, and search factor. See  indexes.conf  for more details.

props.conf: This file defines the properties of the data sources that are ingested by Splunk Enterprise Security, such as sourcetype, timestamp, line breaking, and field extraction. It also specifies the data model mappings, tags, and event types for the data sources. See  props.conf  for more details.

transforms.conf: This file defines the transformations that are applied to the data sources that are ingested by Splunk Enterprise Security, such as lookup definitions, field aliases, field formats, and calculated fields. It also specifies the regex patterns, delimiters, and formats for the transformations. See  transforms.conf  for more details.

Therefore, the correct answer is A. indexes.conf, props.conf, transforms.conf. References =

indexes.conf

props.conf

transforms.conf

Assigning Role Based Permissions in Splunk Enterprise Security

 To configure an “Nslookup” adaptive response action, so that it appears as a selectable option in the notable event’s action menu when an analyst is working in the Incident Review dashboard, the administrator would take the following steps:

On the Splunk Enterprise Security menu bar, click Configure > Content > Content Management.

Filter the content by Type: Correlation Search and select the correlation search that you want to add the Nslookup action to.

Click Edit and go to the Notable tab.

Under Recommended Actions, click Add New Action and select Nslookup from the drop-down menu.

Enter the required fields for the Nslookup action, such as the host field, the DNS server, and the output index.

Click Save to save the changes to the correlation search.

The Nslookup action will now appear as an option in the notable event’s action menu on the Incident Review dashboard. References =

Set up Adaptive Response actions in Splunk Enterprise Security

Included adaptive response actions with Splunk Enterprise Security

The priority column in the asset or identity list is combined with the event severity to make a notable event’s urgency in Splunk Enterprise Security. The urgency is a measure of how important it is to address a notable event, and it is calculated based on a matrix that maps the priority of the asset or identity involved in the event and the severity of the event.  The urgency can be one of the following values: low, medium, high, or critical 1 2 .  For example, by default, medium, high, and critical priority, combined with critical severity, will generate a critical urgency ranking 3 .  References  =  1 : Incident Review - Splunk Documentation - Urgency.  2 : Configure notable event urgency - Splunk Documentation.  3 : Solved: Splunk Enterprise Security: Is there a way to forc… - Splunk Community.