Splunk SPLK-5001 Practice Test - Questions Answers, Page 3
List of questions
Related questions
Question 21

The following list contains examples of Tactics, Techniques, and Procedures (TTPs):
1. Exploiting a remote service
2. Lateral movement
3. Use EternalBlue to exploit a remote SMB server
In which order are they listed below?
Question 22

An analyst is attempting to investigate a Notable Event within Enterprise Security. Through the course of their investigation they determined that the logs and artifacts needed to investigate the alert are not available.
What event disposition should the analyst assign to the Notable Event?
Question 23

Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?
Question 24

A threat hunter executed a hunt based on the following hypothesis:
As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.
Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company's environment.
Which of the following best describes the outcome of this threat hunt?
Question 25

An analyst notices that one of their servers is sending an unusually large amount of traffic, gigabytes more than normal, to a single system on the Internet. There doesn't seem to be any associated increase in incoming traffic.
What type of threat actor activity might this represent?
Question 26

In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?
Question 27

An analyst is not sure that all of the potential data sources at her company are being correctly or completely utilized by Splunk and Enterprise Security. Which of the following might she suggest using, in order to perform an analysis of the data types available and some of their potential security uses?
Question 28

During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?
Question 29

An analyst would like to visualize threat objects across their environment and chronological risk events for a Risk Object in Incident Review. Where would they find this?
Question 30

A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.
What should they ask their engineer for to make their analysis easier?
Question