New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Splunk > Splunk > SPLK-5001

SPLK-5001 Splunk Certified Cybersecurity Defense Analyst Question and Answers

Question # 4

An analysis of an organization’s security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of designing the new process and selecting the required tools to implement it?

A.

SOC Manager

B.

Security Engineer

C.

Security Architect

D.

Security Analyst

Full Access
Question # 5

Which of the following is not considered an Indicator of Compromise (IOC)?

A.

A specific domain that is utilized for phishing.

B.

A specific IP address used in a cyberattack.

C.

A specific file hash of a malicious executable.

D.

A specific password for a compromised account.

Full Access
Question # 6

A Cyber Threat Intelligence (CTI) team produces a report detailing a specific threat actor’s typical behaviors and intent. This would be an example of what type of intelligence?

A.

Operational

B.

Executive

C.

Tactical

D.

Strategic

Full Access
Question # 7

A threat hunter generates a report containing the list of users who have logged in to a particular database during the last 6 months, along with the number of times they have each authenticated. They sort this list and remove any user names who have logged in more than 6 times. The remaining names represent the users who rarely log in, as their activity is more suspicious. The hunter examines each of these rare logins in detail.

This is an example of what type of threat-hunting technique?

A.

Least Frequency of Occurrence Analysis

B.

Co-Occurrence Analysis

C.

Time Series Analysis

D.

Outlier Frequency Analysis

Full Access
Question # 8

Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?

A.

NIST 800-53

B.

ISO 27000

C.

CIS18

D.

MITRE ATT&CK

Full Access
Question # 9

Which pre-packaged app delivers security content and detections on a regular, ongoing basis for Enterprise Security and SOAR?

A.

SSE

B.

ESCU

C.

Threat Hunting

D.

InfoSec

Full Access
Question # 10

A threat hunter executed a hunt based on the following hypothesis:

As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.

Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company’s environment.

Which of the following best describes the outcome of this threat hunt?

A.

The threat hunt was successful because the hypothesis was not proven.

B.

The threat hunt failed because the hypothesis was not proven.

C.

The threat hunt failed because no malicious activity was identified.

D.

The threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.

Full Access
Question # 11

A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.

What should they ask their engineer for to make their analysis easier?

A.

Create a field extraction for this information.

B.

Add this information to the risk message.

C.

Create another detection for this information.

D.

Allowlist more events based on this information.

Full Access
Question # 12

When searching in Splunk, which of the following SPL commands can be used to run a subsearch across every field in a wildcard field list?

A.

foreach

B.

rex

C.

makeresults

D.

transaction

Full Access
Question # 13

Which of the following is considered Personal Data under GDPR?

A.

The birth date of an unidentified user.

B.

An individual's address including their first and last name.

C.

The name of a deceased individual.

D.

A company's registration number.

Full Access
Question # 14

What is the main difference between a DDoS and a DoS attack?

A.

A DDoS attack is a type of physical attack, while a DoS attack is a type of cyberattack.

B.

A DDoS attack uses a single source to target a single system, while a DoS attack uses multiple sources to target multiple systems.

C.

A DDoS attack uses multiple sources to target a single system, while a DoS attack uses a single source to target a single or multiple systems.

D.

A DDoS attack uses a single source to target multiple systems, while a DoS attack uses multiple sources to target a single system.

Full Access
Question # 15

According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?

A.

username

B.

src_user_id

C.

src_user

D.

dest_user

Full Access
Question # 16

Which of the following is a best practice when creating performant searches within Splunk?

A.

Utilize the transaction command to aggregate data for faster analysis.

B.

Utilize Aggregating commands to ensure all data is available prior to Streaming commands.

C.

Utilize specific fields to return only the data that is required.

D.

Utilize multiple wildcards across fields to ensure returned data is complete and available.

Full Access
Question # 17

What is the main difference between hypothesis-driven and data-driven Threat Hunting?

A.

Data-driven hunts always require more data to search through than hypothesis-driven hunts.

B.

Data-driven hunting tries to uncover activity within an existing data set, hypothesis-driven hunting begins with a potential activity that the hunter thinks may be happening.

C.

Hypothesis-driven hunts are typically executed on newly ingested data sources, while data-driven hunts are not.

D.

Hypothesis-driven hunting tries to uncover activity within an existing data set, data-driven hunting begins with an activity that the hunter thinks may be happening.

Full Access
Question # 18

An analyst needs to create a new field at search time. Which Splunk command will dynamically extract additional fields as part of a Search pipeline?

A.

rex

B.

fields

C.

regex

D.

eval

Full Access
Question # 19

Which of the following data sources can be used to discover unusual communication within an organization’s network?

A.

EDS

B.

Net Flow

C.

Email

D.

IAM

Full Access