Splunk SPLK-5001 Exam Practice Test Instant Access

Question 1

Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?

ANIST 800-53

BISO 27000

CCIS18

DMITRE ATT&CK

Answer : D

Question 2

A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.

What should they ask their engineer for to make their analysis easier?

ACreate a field extraction for this information.

BAdd this information to the risk message.

CCreate another detection for this information.

DAllowlist more events based on this information.

Answer : A

Question 3

An analysis of an organization's security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of implementing the new process or solution that was selected?

ASecurity Architect

BSOC Manager

CSecurity Engineer

DSecurity Analyst

Answer : C

Question 4

A threat hunter executed a hunt based on the following hypothesis:

As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.

Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company's environment.

Which of the following best describes the outcome of this threat hunt?

AThe threat hunt was successful because the hypothesis was not proven.

BThe threat hunt failed because the hypothesis was not proven.

CThe threat hunt failed because no malicious activity was identified.

DThe threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.

Answer : D

Question 5

An analyst notices that one of their servers is sending an unusually large amount of traffic, gigabytes more than normal, to a single system on the Internet. There doesn't seem to be any associated increase in incoming traffic.

What type of threat actor activity might this represent?

AData exfiltration

BNetwork reconnaissance

CData infiltration

DLateral movement

Answer : A

Question 6

Which of the following is a correct Splunk search that will return results in the most performant way?

Aindex=foo host=i-478619733 | stats range(_time) as duration by src_ip | bin duration span=5min | stats count by duration, host

B| stats range(_time) as duration by src_ip | index=foo host=i-478619733 | bin duration span=5min | stats count by duration, host

Cindex=foo host=i-478619733 | transaction src_ip |stats count by host

Dindex=foo | transaction src_ip |stats count by host | search host=i-478619733

Answer : A

Question 7

There are many resources for assisting with SPL and configuration questions. Which of the following resources feature community-sourced answers?

ASplunk Answers

BSplunk Lantern

CSplunk Guidebook

DSplunk Documentation

Answer : A

Splunk SPLK-5001 Splunk Certified Cybersecurity Defense Analyst Exam Practice Test