ExamGecko
Search Search Login
Home Home / Splunk / SPLK-5001

Splunk SPLK-5001 Practice Test - Questions Answers

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define the time between alert creation and close of the event?
A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious. What should they ask their engineer for to make their analysis easier?
Splunk Enterprise Security has numerous frameworks to create correlations, integrate threat intelligence, and provide a workflow for investigations. Which framework raises the threat profile of individuals or assets to allow identification of people or devices that perform an unusual amount of suspicious activities?
When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?
What is the following step-by-step description an example of? 1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document. 2. The attacker creates a unique email with the malicious document based on extensive research about their target. 3. When the victim opens this document, a C2 channel is established to the attacker's temporary infrastructure on a compromised website.
An analyst is examining the logs for a web application's login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates that these credentials may have been compiled by combining account information from several recent data breaches. Which type of attack would this be an example of?
Upon investigating a report of a web server becoming unavailable, the security analyst finds that the web server's access log has the same log entry millions of times: 147.186.119.200 - - [28/Jul/2023:12:04:13 -0300] 'GET /login/ HTTP/1.0' 200 3733 What kind of attack is occurring?
The following list contains examples of Tactics, Techniques, and Procedures (TTPs): 1. Exploiting a remote service 2. Lateral movement 3. Use EternalBlue to exploit a remote SMB server In which order are they listed below?
According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?
Which of the following data sources can be used to discover unusual communication within an organization's network?

Question 1

Report
Export
Collapse

When searching in Splunk, which of the following SPL commands can be used to run a subsearch across every field in a wildcard field list?

A.
foreach
A.
foreach
Answers
B.
rex
B.
rex
Answers
C.
makeresults
C.
makeresults
Answers
D.
transaction
D.
transaction
Answers
Suggested answer: A

Question 2

Report
Export
Collapse

How are Notable Events configured in Splunk Enterprise Security?

A.
During an investigation.
A.
During an investigation.
Answers
B.
As part of an audit.
B.
As part of an audit.
Answers
C.
Via an Adaptive Response Action in a regular search.
C.
Via an Adaptive Response Action in a regular search.
Answers
D.
Via an Adaptive Response Action in a correlation search.
D.
Via an Adaptive Response Action in a correlation search.
Answers
Suggested answer: D

Question 3

Report
Export
Collapse

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?

A.
host
A.
host
Answers
B.
dest
B.
dest
Answers
C.
src_nt_host
C.
src_nt_host
Answers
D.
src_ip
D.
src_ip
Answers
Suggested answer: D

Question 4

Report
Export
Collapse

Which of the following is a best practice when creating performant searches within Splunk?

A.
Utilize the transaction command to aggregate data for faster analysis.
A.
Utilize the transaction command to aggregate data for faster analysis.
Answers
B.
Utilize Aggregating commands to ensure all data is available prior to Streaming commands.
B.
Utilize Aggregating commands to ensure all data is available prior to Streaming commands.
Answers
C.
Utilize specific fields to return only the data that is required.
C.
Utilize specific fields to return only the data that is required.
Answers
D.
Utilize multiple wildcards across fields to ensure returned data is complete and available.
D.
Utilize multiple wildcards across fields to ensure returned data is complete and available.
Answers
Suggested answer: C

Question 5

Report
Export
Collapse

Which pre-packaged app delivers security content and detections on a regular, ongoing basis for Enterprise Security and SOAR?

A.
SSE
A.
SSE
Answers
B.
ESCU
B.
ESCU
Answers
C.
Threat Hunting
C.
Threat Hunting
Answers
D.
InfoSec
D.
InfoSec
Answers
Suggested answer: B

Question 6

Report
Export
Collapse

Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?

A.
CASE()
A.
CASE()
Answers
B.
LIKE()
B.
LIKE()
Answers
C.
FORMAT ()
C.
FORMAT ()
Answers
D.
TERM ()
D.
TERM ()
Answers
Suggested answer: D

Question 7

Report
Export
Collapse

Which field is automatically added to search results when assets are properly defined and enabled in Splunk Enterprise Security?

A.
asset_category
A.
asset_category
Answers
B.
src_ip
B.
src_ip
Answers
C.
src_category
C.
src_category
Answers
D.
user
D.
user
Answers
Suggested answer: C

Question 8

Report
Export
Collapse

An IDS signature is designed to detect and alert on logins to a certain server, but only if they occur from 6:00 PM - 6:00 AM. If no IDS alerts occur in this window, but the signature is known to be correct, this would be an example of what?

A.
A True Negative.
A.
A True Negative.
Answers
B.
A True Positive.
B.
A True Positive.
Answers
C.
A False Negative.
C.
A False Negative.
Answers
D.
A False Positive.
D.
A False Positive.
Answers
Suggested answer: A

Question 9

Report
Export
Collapse

Which of the following is not a component of the Splunk Security Content library (ESCU, SSE)?

A.
Dashboards
A.
Dashboards
Answers
B.
Reports
B.
Reports
Answers
C.
Correlation searches
C.
Correlation searches
Answers
D.
Validated architectures
D.
Validated architectures
Answers
Suggested answer: D

Question 10

Report
Export
Collapse

The eval SPL expression supports many types of functions. Which of these function categories is not valid with eval?

A.
JSON functions
A.
JSON functions
Answers
B.
Text functions
B.
Text functions
Answers
C.
Comparison and Conditional functions
C.
Comparison and Conditional functions
Answers
D.
Threat functions
D.
Threat functions
Answers
Suggested answer: D
Total 66 questions
Go to page: of 7
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms