New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium Splunk SPLK-5001 Dumps Questions Answers

Page: 1 / 5
Total 66 questions

Splunk Certified Cybersecurity Defense Analyst Questions and Answers

Question 1

Which of the following use cases is best suited to be a Splunk SOAR Playbook?

Options:

A.

Forming hypothesis for Threat Hunting

B.

Visualizing complex datasets.

C.

Creating persistent field extractions.

D.

Taking containment action on a compromised host

Buy Now
Question 2

What goal of an Advanced Persistent Threat (APT) group aims to disrupt or damage on behalf of a cause?

Options:

A.

Hacktivism

B.

Cyber espionage

C.

Financial gain

D.

Prestige

Question 3

The United States Department of Defense (DoD) requires all government contractors to provide adequate security safeguards referenced in National Institute of Standards and Technology (NIST) 800-171. All DoD contractors must continually reassess, monitor, and track compliance to be able to do business with the US government.

Which feature of Splunk Enterprise Security provides an analyst context for the correlation search mapping to the specific NIST guidelines?

Options:

A.

Comments

B.

Moles

C.

Annotations

D.

Framework mapping

Question 4

An analyst would like to test how certain Splunk SPL commands work against a small set of data. What command should start the search pipeline if they wanted to create their own data instead of utilizing data contained within Splunk?

Options:

A.

makeresults

B.

rename

C.

eval

D.

stats

Question 5

An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?

Options:

A.

index=security_logs eventtype=failed_login | eval count as failed_attempts by src_ip | sort -failed_attempts

B.

index=security_logs eventtype=failed_login | transaction count as failed_attempts by src_ip | sort -failed_attempts

C.

index=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attempts

D.

index=security_logs eventtype=failed_login | sum count as failed_attempts by src_ip | sort -failed_attempts

Question 6

How are Notable Events configured in Splunk Enterprise Security?

Options:

A.

During an investigation.

B.

As part of an audit.

C.

Via an Adaptive Response Action in a regular search.

D.

Via an Adaptive Response Action in a correlation search.

Question 7

Which of the following is the primary benefit of using the CIM in Splunk?

Options:

A.

It allows for easier correlation of data from different sources.

B.

It improves the performance of search queries on raw data.

C.

It enables the use of advanced machine learning algorithms.

D.

It automatically detects and blocks cyber threats.

Question 8

Which field is automatically added to search results when assets are properly defined and enabled in Splunk Enterprise Security?

Options:

A.

asset_category

B.

src_ip

C.

src_category

D.

user

Question 9

The field file_acl contains access controls associated with files affected by an event. In which data model would an analyst find this field?

Options:

A.

Malware

B.

Alerts

C.

Vulnerabilities

D.

Endpoint

Question 10

Which of the following is not considered an Indicator of Compromise (IOC)?

Options:

A.

A specific domain that is utilized for phishing.

B.

A specific IP address used in a cyberattack.

C.

A specific file hash of a malicious executable.

D.

A specific password for a compromised account.

Question 11

The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which existing ES dashboard could be used as a starting point to create a custom dashboard?

Options:

A.

IAM Activity

B.

Malware Center

C.

Access Anomalies

D.

New Domain Analysis

Question 12

When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?

Options:

A.

| sort by user | where count > 1000

B.

| stats count by user | where count > 1000 | sort - count

C.

| top user

D.

| stats count(user) | sort - count | where count > 1000

Question 13

An analyst is building a search to examine Windows XML Event Logs, but the initial search is not returning any extracted fields. Based on the above image, what is themost likelycause?

Options:

A.

The analyst does not have the proper role to search this data.

B.

The analyst is searching newly indexed data that was improperly parsed.

C.

The analyst did not add the excract command to their search pipeline.

D.

The analyst is not in the Drooer Search Mode and should switch to Smart or Verbose.

Question 14

After discovering some events that were missed in an initial investigation, an analyst determines this is because some events have an empty src field. Instead, the required data is often captured in another field called machine_name.

What SPL could they use to find all relevant events across either field until the field extraction is fixed?

Options:

A.

| eval src = coalesce(src,machine_name)

B.

| eval src = src + machine_name

C.

| eval src = src . machine_name

D.

| eval src = tostring(machine_name)

Question 15

An analysis of an organization’s security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of designing the new process and selecting the required tools to implement it?

Options:

A.

SOC Manager

B.

Security Engineer

C.

Security Architect

D.

Security Analyst

Question 16

Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?

Options:

A.

CASE()

B.

LIKE()

C.

FORMAT ()

D.

TERM ()

Question 17

An analyst investigates an IDS alert and confirms suspicious traffic to a known malicious IP. What Enterprise Security data model would they use to investigate which process initiated the network connection?

Options:

A.

Endpoint

B.

Authentication

C.

Network traffic

D.

Web

Question 18

An analyst is investigating how an attacker successfully performs a brute-force attack to gain a foothold into an organizations systems. In the course of the investigation the analyst determines that the reason no alerts were generated is because the detection searches were configured to run against Windows data only and excluding any Linux data.

This is an example of what?

Options:

A.

A True Positive.

B.

A True Negative.

C.

A False Negative.

D.

A False Positive.

Question 19

In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?

Options:

A.

Define and Predict

B.

Establish and Architect

C.

Analyze and Report

D.

Implement and Collect

Page: 1 / 5
Total 66 questions