ExamGecko
Home / Splunk / SPLK-5001
Ask Question

Splunk SPLK-5001 Practice Test - Questions Answers, Page 3

Question list
Search

List of questions

Search

Related questions











Question 21

Report
Export
Collapse

The following list contains examples of Tactics, Techniques, and Procedures (TTPs):

1. Exploiting a remote service

2. Lateral movement

3. Use EternalBlue to exploit a remote SMB server

In which order are they listed below?

Tactic, Technique, Procedure
Tactic, Technique, Procedure
Procedure, Technique, Tactic
Procedure, Technique, Tactic
Technique, Tactic, Procedure
Technique, Tactic, Procedure
Tactic, Procedure, Technique
Tactic, Procedure, Technique
Suggested answer: A
asked 23/09/2024
Donnie Roach
29 questions

Question 22

Report
Export
Collapse

An analyst is attempting to investigate a Notable Event within Enterprise Security. Through the course of their investigation they determined that the logs and artifacts needed to investigate the alert are not available.

What event disposition should the analyst assign to the Notable Event?

Benign Positive, since there was no evidence that the event actually occurred.
Benign Positive, since there was no evidence that the event actually occurred.
False Negative, since there are no logs to prove the activity actually occurred.
False Negative, since there are no logs to prove the activity actually occurred.
True Positive, since there are no logs to prove that the event did not occur.
True Positive, since there are no logs to prove that the event did not occur.
Other, since a security engineer needs to ingest the required logs.
Other, since a security engineer needs to ingest the required logs.
Suggested answer: D
asked 23/09/2024
Fu Sin
31 questions

Question 23

Report
Export
Collapse

Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?

NIST 800-53
NIST 800-53
ISO 27000
ISO 27000
CIS18
CIS18
MITRE ATT&CK
MITRE ATT&CK
Suggested answer: D
asked 23/09/2024
Yusuf E
38 questions

Question 24

Report
Export
Collapse

A threat hunter executed a hunt based on the following hypothesis:

As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.

Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company's environment.

Which of the following best describes the outcome of this threat hunt?

The threat hunt was successful because the hypothesis was not proven.
The threat hunt was successful because the hypothesis was not proven.
The threat hunt failed because the hypothesis was not proven.
The threat hunt failed because the hypothesis was not proven.
The threat hunt failed because no malicious activity was identified.
The threat hunt failed because no malicious activity was identified.
The threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.
The threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.
Suggested answer: D
asked 23/09/2024
Nelson G Porras
42 questions

Question 25

Report
Export
Collapse

An analyst notices that one of their servers is sending an unusually large amount of traffic, gigabytes more than normal, to a single system on the Internet. There doesn't seem to be any associated increase in incoming traffic.

What type of threat actor activity might this represent?

Data exfiltration
Data exfiltration
Network reconnaissance
Network reconnaissance
Data infiltration
Data infiltration
Lateral movement
Lateral movement
Suggested answer: A
asked 23/09/2024
CATALIN FLORESCU
36 questions

Question 26

Report
Export
Collapse

In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?

Define and Predict
Define and Predict
Establish and Architect
Establish and Architect
Analyze and Report
Analyze and Report
Implement and Collect
Implement and Collect
Suggested answer: C
asked 23/09/2024
Aamir Muhammad
36 questions

Question 27

Report
Export
Collapse

An analyst is not sure that all of the potential data sources at her company are being correctly or completely utilized by Splunk and Enterprise Security. Which of the following might she suggest using, in order to perform an analysis of the data types available and some of their potential security uses?

Splunk ITSI
Splunk ITSI
Security Essentials
Security Essentials
SOAR
SOAR
Splunk Intelligence Management
Splunk Intelligence Management
Suggested answer: B
asked 23/09/2024
Tiffany Peterson
38 questions

Question 28

Report
Export
Collapse

During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?

Temp directories aren't owned by any particular user, making it difficult to track the process owner when files are executed.
Temp directories aren't owned by any particular user, making it difficult to track the process owner when files are executed.
Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory.
Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory.
Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs.
Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs.
Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.
Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.
Suggested answer: D
asked 23/09/2024
Vijay Kumar
47 questions

Question 29

Report
Export
Collapse

An analyst would like to visualize threat objects across their environment and chronological risk events for a Risk Object in Incident Review. Where would they find this?

Running the Risk Analysis Adaptive Response action within the Notable Event.
Running the Risk Analysis Adaptive Response action within the Notable Event.
Via a workflow action for the Risk Investigation dashboard.
Via a workflow action for the Risk Investigation dashboard.
Via the Risk Analysis dashboard under the Security Intelligence tab in Enterprise Security.
Via the Risk Analysis dashboard under the Security Intelligence tab in Enterprise Security.
Clicking the risk event count to open the Risk Event Timeline.
Clicking the risk event count to open the Risk Event Timeline.
Suggested answer: D
asked 23/09/2024
Rannie Dayapan
42 questions

Question 30

Report
Export
Collapse

A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.

What should they ask their engineer for to make their analysis easier?

Create a field extraction for this information.
Create a field extraction for this information.
Add this information to the risk message.
Add this information to the risk message.
Create another detection for this information.
Create another detection for this information.
Allowlist more events based on this information.
Allowlist more events based on this information.
Suggested answer: A
asked 23/09/2024
Nisanka Mandara
39 questions
Total 66 questions
Go to page: of 7