ExamGecko
Search Search Login
Home Home / Splunk / SPLK-5001

Splunk SPLK-5001 Practice Test - Questions Answers, Page 3

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define the time between alert creation and close of the event?
A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious. What should they ask their engineer for to make their analysis easier?
When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?
What is the following step-by-step description an example of? 1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document. 2. The attacker creates a unique email with the malicious document based on extensive research about their target. 3. When the victim opens this document, a C2 channel is established to the attacker's temporary infrastructure on a compromised website.
Splunk Enterprise Security has numerous frameworks to create correlations, integrate threat intelligence, and provide a workflow for investigations. Which framework raises the threat profile of individuals or assets to allow identification of people or devices that perform an unusual amount of suspicious activities?
The following list contains examples of Tactics, Techniques, and Procedures (TTPs): 1. Exploiting a remote service 2. Lateral movement 3. Use EternalBlue to exploit a remote SMB server In which order are they listed below?
According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?
Which of the following data sources can be used to discover unusual communication within an organization's network?
Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?
An analyst is examining the logs for a web application's login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates that these credentials may have been compiled by combining account information from several recent data breaches. Which type of attack would this be an example of?

Question 21

Report
Export
Collapse

The following list contains examples of Tactics, Techniques, and Procedures (TTPs):

1. Exploiting a remote service

2. Lateral movement

3. Use EternalBlue to exploit a remote SMB server

In which order are they listed below?

A.
Tactic, Technique, Procedure
A.
Tactic, Technique, Procedure
Answers
B.
Procedure, Technique, Tactic
B.
Procedure, Technique, Tactic
Answers
C.
Technique, Tactic, Procedure
C.
Technique, Tactic, Procedure
Answers
D.
Tactic, Procedure, Technique
D.
Tactic, Procedure, Technique
Answers
Suggested answer: A

Question 22

Report
Export
Collapse

An analyst is attempting to investigate a Notable Event within Enterprise Security. Through the course of their investigation they determined that the logs and artifacts needed to investigate the alert are not available.

What event disposition should the analyst assign to the Notable Event?

A.
Benign Positive, since there was no evidence that the event actually occurred.
A.
Benign Positive, since there was no evidence that the event actually occurred.
Answers
B.
False Negative, since there are no logs to prove the activity actually occurred.
B.
False Negative, since there are no logs to prove the activity actually occurred.
Answers
C.
True Positive, since there are no logs to prove that the event did not occur.
C.
True Positive, since there are no logs to prove that the event did not occur.
Answers
D.
Other, since a security engineer needs to ingest the required logs.
D.
Other, since a security engineer needs to ingest the required logs.
Answers
Suggested answer: D

Question 23

Report
Export
Collapse

Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?

A.
NIST 800-53
A.
NIST 800-53
Answers
B.
ISO 27000
B.
ISO 27000
Answers
C.
CIS18
C.
CIS18
Answers
D.
MITRE ATT&CK
D.
MITRE ATT&CK
Answers
Suggested answer: D

Question 24

Report
Export
Collapse

A threat hunter executed a hunt based on the following hypothesis:

As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.

Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company's environment.

Which of the following best describes the outcome of this threat hunt?

A.
The threat hunt was successful because the hypothesis was not proven.
A.
The threat hunt was successful because the hypothesis was not proven.
Answers
B.
The threat hunt failed because the hypothesis was not proven.
B.
The threat hunt failed because the hypothesis was not proven.
Answers
C.
The threat hunt failed because no malicious activity was identified.
C.
The threat hunt failed because no malicious activity was identified.
Answers
D.
The threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.
D.
The threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.
Answers
Suggested answer: D

Question 25

Report
Export
Collapse

An analyst notices that one of their servers is sending an unusually large amount of traffic, gigabytes more than normal, to a single system on the Internet. There doesn't seem to be any associated increase in incoming traffic.

What type of threat actor activity might this represent?

A.
Data exfiltration
A.
Data exfiltration
Answers
B.
Network reconnaissance
B.
Network reconnaissance
Answers
C.
Data infiltration
C.
Data infiltration
Answers
D.
Lateral movement
D.
Lateral movement
Answers
Suggested answer: A

Question 26

Report
Export
Collapse

In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?

A.
Define and Predict
A.
Define and Predict
Answers
B.
Establish and Architect
B.
Establish and Architect
Answers
C.
Analyze and Report
C.
Analyze and Report
Answers
D.
Implement and Collect
D.
Implement and Collect
Answers
Suggested answer: C

Question 27

Report
Export
Collapse

An analyst is not sure that all of the potential data sources at her company are being correctly or completely utilized by Splunk and Enterprise Security. Which of the following might she suggest using, in order to perform an analysis of the data types available and some of their potential security uses?

A.
Splunk ITSI
A.
Splunk ITSI
Answers
B.
Security Essentials
B.
Security Essentials
Answers
C.
SOAR
C.
SOAR
Answers
D.
Splunk Intelligence Management
D.
Splunk Intelligence Management
Answers
Suggested answer: B

Question 28

Report
Export
Collapse

During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?

A.
Temp directories aren't owned by any particular user, making it difficult to track the process owner when files are executed.
A.
Temp directories aren't owned by any particular user, making it difficult to track the process owner when files are executed.
Answers
B.
Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory.
B.
Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory.
Answers
C.
Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs.
C.
Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs.
Answers
D.
Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.
D.
Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.
Answers
Suggested answer: D

Question 29

Report
Export
Collapse

An analyst would like to visualize threat objects across their environment and chronological risk events for a Risk Object in Incident Review. Where would they find this?

A.
Running the Risk Analysis Adaptive Response action within the Notable Event.
A.
Running the Risk Analysis Adaptive Response action within the Notable Event.
Answers
B.
Via a workflow action for the Risk Investigation dashboard.
B.
Via a workflow action for the Risk Investigation dashboard.
Answers
C.
Via the Risk Analysis dashboard under the Security Intelligence tab in Enterprise Security.
C.
Via the Risk Analysis dashboard under the Security Intelligence tab in Enterprise Security.
Answers
D.
Clicking the risk event count to open the Risk Event Timeline.
D.
Clicking the risk event count to open the Risk Event Timeline.
Answers
Suggested answer: D

Question 30

Report
Export
Collapse

A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.

What should they ask their engineer for to make their analysis easier?

A.
Create a field extraction for this information.
A.
Create a field extraction for this information.
Answers
B.
Add this information to the risk message.
B.
Add this information to the risk message.
Answers
C.
Create another detection for this information.
C.
Create another detection for this information.
Answers
D.
Allowlist more events based on this information.
D.
Allowlist more events based on this information.
Answers
Suggested answer: A
Total 66 questions
Go to page: of 7
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms