ExamGecko
Search Search Login
Home Home / Splunk / SPLK-5001

Splunk SPLK-5001 Practice Test - Questions Answers, Page 6

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define the time between alert creation and close of the event?
A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious. What should they ask their engineer for to make their analysis easier?
Splunk Enterprise Security has numerous frameworks to create correlations, integrate threat intelligence, and provide a workflow for investigations. Which framework raises the threat profile of individuals or assets to allow identification of people or devices that perform an unusual amount of suspicious activities?
When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?
What is the following step-by-step description an example of? 1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document. 2. The attacker creates a unique email with the malicious document based on extensive research about their target. 3. When the victim opens this document, a C2 channel is established to the attacker's temporary infrastructure on a compromised website.
The following list contains examples of Tactics, Techniques, and Procedures (TTPs): 1. Exploiting a remote service 2. Lateral movement 3. Use EternalBlue to exploit a remote SMB server In which order are they listed below?
According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?
Which of the following data sources can be used to discover unusual communication within an organization's network?
The eval SPL expression supports many types of functions. Which of these function categories is not valid with eval?
Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?

Question 51

Report
Export
Collapse

An analyst would like to test how certain Splunk SPL commands work against a small set of data. What command should start the search pipeline if they wanted to create their own data instead of utilizing data contained within Splunk?

A.
makeresults
A.
makeresults
Answers
B.
rename
B.
rename
Answers
C.
eval
C.
eval
Answers
D.
stats
D.
stats
Answers
Suggested answer: A

Question 52

Report
Export
Collapse

An analysis of an organization's security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of implementing the new process or solution that was selected?

A.
Security Architect
A.
Security Architect
Answers
B.
SOC Manager
B.
SOC Manager
Answers
C.
Security Engineer
C.
Security Engineer
Answers
D.
Security Analyst
D.
Security Analyst
Answers
Suggested answer: C

Question 53

Report
Export
Collapse

Which of the following is a correct Splunk search that will return results in the most performant way?

A.
index=foo host=i-478619733 | stats range(_time) as duration by src_ip | bin duration span=5min | stats count by duration, host
A.
index=foo host=i-478619733 | stats range(_time) as duration by src_ip | bin duration span=5min | stats count by duration, host
Answers
B.
| stats range(_time) as duration by src_ip | index=foo host=i-478619733 | bin duration span=5min | stats count by duration, host
B.
| stats range(_time) as duration by src_ip | index=foo host=i-478619733 | bin duration span=5min | stats count by duration, host
Answers
C.
index=foo host=i-478619733 | transaction src_ip |stats count by host
C.
index=foo host=i-478619733 | transaction src_ip |stats count by host
Answers
D.
index=foo | transaction src_ip |stats count by host | search host=i-478619733
D.
index=foo | transaction src_ip |stats count by host | search host=i-478619733
Answers
Suggested answer: A

Question 54

Report
Export
Collapse

There are many resources for assisting with SPL and configuration questions. Which of the following resources feature community-sourced answers?

A.
Splunk Answers
A.
Splunk Answers
Answers
B.
Splunk Lantern
B.
Splunk Lantern
Answers
C.
Splunk Guidebook
C.
Splunk Guidebook
Answers
D.
Splunk Documentation
D.
Splunk Documentation
Answers
Suggested answer: A

Question 55

Report
Export
Collapse

A successful Continuous Monitoring initiative involves the entire organization. When an analyst discovers the need for more context or additional information, perhaps from additional data sources or altered correlation rules, to what role would this request generally escalate?

A.
SOC Manager
A.
SOC Manager
Answers
B.
Security Analyst
B.
Security Analyst
Answers
C.
Security Engineer
C.
Security Engineer
Answers
D.
Security Architect
D.
Security Architect
Answers
Suggested answer: C

Question 56

Report
Export
Collapse

What is the following step-by-step description an example of?

1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document.

2. The attacker creates a unique email with the malicious document based on extensive research about their target.

3. When the victim opens this document, a C2 channel is established to the attacker's temporary infrastructure on a compromised website.

A.
Tactic
A.
Tactic
Answers
B.
Policy
B.
Policy
Answers
C.
Procedure
C.
Procedure
Answers
D.
Technique
D.
Technique
Answers
Suggested answer: D

Question 57

Report
Export
Collapse

Which of the following is a tactic used by attackers, rather than a technique?

A.
Gathering information about a target.
A.
Gathering information about a target.
Answers
B.
Establishing persistence with a scheduled task.
B.
Establishing persistence with a scheduled task.
Answers
C.
Using a phishing email to gain initial access.
C.
Using a phishing email to gain initial access.
Answers
D.
Escalating privileges via UAC bypass.
D.
Escalating privileges via UAC bypass.
Answers
Suggested answer: A

Question 58

Report
Export
Collapse

Which stage of continuous monitoring involves adding data, creating detections, and building drilldowns?

A.
Implement and Collect
A.
Implement and Collect
Answers
B.
Establish and Architect
B.
Establish and Architect
Answers
C.
Respond and Review
C.
Respond and Review
Answers
D.
Analyze and Report
D.
Analyze and Report
Answers
Suggested answer: A

Question 59

Report
Export
Collapse

An analyst is investigating how an attacker successfully performs a brute-force attack to gain a foothold into an organizations systems. In the course of the investigation the analyst determines that the reason no alerts were generated is because the detection searches were configured to run against Windows data only and excluding any Linux data.

This is an example of what?

A.
A True Positive.
A.
A True Positive.
Answers
B.
A True Negative.
B.
A True Negative.
Answers
C.
A False Negative.
C.
A False Negative.
Answers
D.
A False Positive.
D.
A False Positive.
Answers
Suggested answer: C

Question 60

Report
Export
Collapse

The field file_acl contains access controls associated with files affected by an event. In which data model would an analyst find this field?

A.
Malware
A.
Malware
Answers
B.
Alerts
B.
Alerts
Answers
C.
Vulnerabilities
C.
Vulnerabilities
Answers
D.
Endpoint
D.
Endpoint
Answers
Suggested answer: D
Total 66 questions
Go to page: of 7
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms