SPLUNK-SPLK-5001

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?

Which of the following data sources can be used to discover unusual communication within an organization’s network?

When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?

The United States Department of Defense (DoD) requires all government contractors to provide adequate security safeguards referenced in National Institute of Standards and Technology (NIST) 800-171. All DoD contractors must continually reassess, monitor, and track compliance to be able to do business with the US government.Which feature of Splunk Enterprise Security provides an analyst context for the correlation search mapping to the specific NIST guidelines?

An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?

The field file_acl contains access controls associated with files affected by an event. In which data model would an analyst find this field?

A threat hunter generates a report containing the list of users who have logged in to a particular database during the last 6 months, along with the number of times they have each authenticated. They sort this list and remove any user names who have logged in more than 6 times. The remaining names represent the users who rarely log in, as their activity is more suspicious. The hunter examines each of these rare logins in detail.This is an example of what type of threat-hunting technique?

What is the main difference between hypothesis-driven and data-driven Threat Hunting?

The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which existing ES dashboard could be used as a starting point to create a custom dashboard?

What is the main difference between a DDoS and a DoS attack?

A Cyber Threat Intelligence (CTI) team delivers a briefing to the CISO detailing their view of the threat landscape the organization faces. This is an example of what type of Threat Intelligence?

An analyst is examining the logs for a web application’s login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates that these credentials may have been compiled by combining account information from several recent data breaches.Which type of attack would this be an example of?

An analysis of an organization’s security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of designing the new process and selecting the required tools to implement it?

After discovering some events that were missed in an initial investigation, an analyst determines this is because some events have an empty src field. Instead, the required data is often captured in another field called machine_name.What SPL could they use to find all relevant events across either field until the field extraction is fixed?

An analyst would like to test how certain Splunk SPL commands work against a small set of data. What command should start the search pipeline if they wanted to create their own data instead of utilizing data contained within Splunk?

What is the following step-by-step description an example of?1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document.2. The attacker creates a unique email with the malicious document based on extensive research about their target.3. When the victim opens this document, a C2 channel is established to the attacker’s temporary infrastructure on a compromised website.

Which of the following is a best practice when creating performant searches within Splunk?

Which pre-packaged app delivers security content and detections on a regular, ongoing basis for Enterprise Security and SOAR?

Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?

Which field is automatically added to search results when assets are properly defined and enabled in Splunk Enterprise Security?

An IDS signature is designed to detect and alert on logins to a certain server, but only if they occur from 6:00 PM - 6:00 AM. If no IDS alerts occur in this window, but the signature is known to be correct, this would be an example of what?

Which of the following is not a component of the Splunk Security Content library (ESCU, SSE)?

The eval SPL expression supports many types of functions. Which of these function categories is not valid with eval?

Which of the following is a tactic used by attackers, rather than a technique?

Which stage of continuous monitoring involves adding data, creating detections, and building drilldowns?

An analyst is investigating how an attacker successfully performs a brute-force attack to gain a foothold into an organizations systems. In the course of the investigation the analyst determines that the reason no alerts were generated is because the detection searches were configured to run against Windows data only and excluding any Linux data.This is an example of what?

An analyst investigates an IDS alert and confirms suspicious traffic to a known malicious IP. What Enterprise Security data model would they use to investigate which process initiated the network connection?

Which of the following is a best practice for searching in Splunk?

While testing the dynamic removal of credit card numbers, an analyst lands on using the rex command. What mode needs to be set to in order to replace the defined values with X?| makeresults| eval ccnumber="511388720478619733"| rex field=ccnumber mode=??? "s/(\d{4}-){3)/XXXX-XXXX-XXXX-/g"Please assume that the above rex command is correctly written.

Which of the following use cases is best suited to be a Splunk SOAR Playbook?