ExamGecko
Search Search Login
Home Home / Splunk / SPLK-5001

Splunk SPLK-5001 Practice Test - Questions Answers, Page 2

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define the time between alert creation and close of the event?
A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious. What should they ask their engineer for to make their analysis easier?
When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?
What is the following step-by-step description an example of? 1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document. 2. The attacker creates a unique email with the malicious document based on extensive research about their target. 3. When the victim opens this document, a C2 channel is established to the attacker's temporary infrastructure on a compromised website.
Splunk Enterprise Security has numerous frameworks to create correlations, integrate threat intelligence, and provide a workflow for investigations. Which framework raises the threat profile of individuals or assets to allow identification of people or devices that perform an unusual amount of suspicious activities?
The following list contains examples of Tactics, Techniques, and Procedures (TTPs): 1. Exploiting a remote service 2. Lateral movement 3. Use EternalBlue to exploit a remote SMB server In which order are they listed below?
According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?
Which of the following data sources can be used to discover unusual communication within an organization's network?
The eval SPL expression supports many types of functions. Which of these function categories is not valid with eval?
Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?

Question 11

Report
Export
Collapse

Which of the following data sources can be used to discover unusual communication within an organization's network?

A.
EDS
A.
EDS
Answers
B.
Net Flow
B.
Net Flow
Answers
C.
Email
C.
Email
Answers
D.
IAM
D.
IAM
Answers
Suggested answer: B

Question 12

Report
Export
Collapse

When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?

A.
| sort by user | where count > 1000
A.
| sort by user | where count > 1000
Answers
B.
| stats count by user | where count > 1000 | sort - count
B.
| stats count by user | where count > 1000 | sort - count
Answers
C.
| top user
C.
| top user
Answers
D.
| stats count(user) | sort - count | where count > 1000
D.
| stats count(user) | sort - count | where count > 1000
Answers
Suggested answer: B

Question 13

Report
Export
Collapse

The United States Department of Defense (DoD) requires all government contractors to provide adequate security safeguards referenced in National Institute of Standards and Technology (NIST) 800-171. All DoD contractors must continually reassess, monitor, and track compliance to be able to do business with the US government.

Which feature of Splunk Enterprise Security provides an analyst context for the correlation search mapping to the specific NIST guidelines?

A.
Comments
A.
Comments
Answers
B.
Moles
B.
Moles
Answers
C.
Annotations
C.
Annotations
Answers
D.
Framework mapping
D.
Framework mapping
Answers
Suggested answer: D

Question 14

Report
Export
Collapse

An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?

A.
index=security_logs eventtype=failed_login | eval count as failed_attempts by src_ip | sort -failed_attempts
A.
index=security_logs eventtype=failed_login | eval count as failed_attempts by src_ip | sort -failed_attempts
Answers
B.
index=security_logs eventtype=failed_login | transaction count as failed_attempts by src_ip | sort -failed_attempts
B.
index=security_logs eventtype=failed_login | transaction count as failed_attempts by src_ip | sort -failed_attempts
Answers
C.
index=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attempts
C.
index=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attempts
Answers
D.
index=security_logs eventtype=failed_login | sum count as failed_attempts by src_ip | sort -failed_attempts
D.
index=security_logs eventtype=failed_login | sum count as failed_attempts by src_ip | sort -failed_attempts
Answers
Suggested answer: C

Question 15

Report
Export
Collapse

Which Enterprise Security framework provides a mechanism for running preconfigured actions within the Splunk platform or integrating with external applications?

A.
Asset and Identity
A.
Asset and Identity
Answers
B.
Notable Event
B.
Notable Event
Answers
C.
Threat Intelligence
C.
Threat Intelligence
Answers
D.
Adaptive Response
D.
Adaptive Response
Answers
Suggested answer: D

Question 16

Report
Export
Collapse

Which of the following Splunk Enterprise Security features allows industry frameworks such as CIS Critical Security Controls, MITRE ATT&CK, and the Lockheed Martin Cyber Kill Chain to be mapped to Correlation Search results?

A.
Annotations
A.
Annotations
Answers
B.
Playbooks
B.
Playbooks
Answers
C.
Comments
C.
Comments
Answers
D.
Enrichments
D.
Enrichments
Answers
Suggested answer: A

Question 17

Report
Export
Collapse

Which of the following is the primary benefit of using the CIM in Splunk?

A.
It allows for easier correlation of data from different sources.
A.
It allows for easier correlation of data from different sources.
Answers
B.
It improves the performance of search queries on raw data.
B.
It improves the performance of search queries on raw data.
Answers
C.
It enables the use of advanced machine learning algorithms.
C.
It enables the use of advanced machine learning algorithms.
Answers
D.
It automatically detects and blocks cyber threats.
D.
It automatically detects and blocks cyber threats.
Answers
Suggested answer: A

Question 18

Report
Export
Collapse

Which of the following use cases is best suited to be a Splunk SOAR Playbook?

A.
Forming hypothesis for Threat Hunting
A.
Forming hypothesis for Threat Hunting
Answers
B.
Visualizing complex datasets.
B.
Visualizing complex datasets.
Answers
C.
Creating persistent field extractions.
C.
Creating persistent field extractions.
Answers
D.
Taking containment action on a compromised host
D.
Taking containment action on a compromised host
Answers
Suggested answer: D

Question 19

Report
Export
Collapse

Which of the following is not considered an Indicator of Compromise (IOC)?

A.
A specific domain that is utilized for phishing.
A.
A specific domain that is utilized for phishing.
Answers
B.
A specific IP address used in a cyberattack.
B.
A specific IP address used in a cyberattack.
Answers
C.
A specific file hash of a malicious executable.
C.
A specific file hash of a malicious executable.
Answers
D.
A specific password for a compromised account.
D.
A specific password for a compromised account.
Answers
Suggested answer: D

Question 20

Report
Export
Collapse

According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?

A.
username
A.
username
Answers
B.
src_user_id
B.
src_user_id
Answers
C.
src_user
C.
src_user
Answers
D.
dest_user
D.
dest_user
Answers
Suggested answer: C
Total 66 questions
Go to page: of 7
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms