New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Splunk SPLK-5001 Splunk Certified Cybersecurity Defense Analyst Exam Practice Test

Demo: 19 questions
Total 66 questions

Splunk Certified Cybersecurity Defense Analyst Questions and Answers

Question 1

Which of the following is a best practice for searching in Splunk?

Options:

A.

Streaming commands run before aggregating commands in the Search pipeline.

B.

Raw word searches should contain multiple wildcards to ensure all edge cases are covered.

C.

Limit fields returned from the search utilizing the cable command.

D.

Searching over All Time ensures that all relevant data is returned.

Question 2

An analyst is examining the logs for a web application’s login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates that these credentials may have been compiled by combining account information from several recent data breaches.

Which type of attack would this be an example of?

Options:

A.

Credential sniffing

B.

Password cracking

C.

Password spraying

D.

Credential stuffing

Question 3

What goal of an Advanced Persistent Threat (APT) group aims to disrupt or damage on behalf of a cause?

Options:

A.

Hacktivism

B.

Cyber espionage

C.

Financial gain

D.

Prestige

Question 4

An analysis of an organization’s security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of implementing the new process or solution that was selected?

Options:

A.

Security Architect

B.

SOC Manager

C.

Security Engineer

D.

Security Analyst

Question 5

Which stage of continuous monitoring involves adding data, creating detections, and building drilldowns?

Options:

A.

Implement and Collect

B.

Establish and Architect

C.

Respond and Review

D.

Analyze and Report

Question 6

Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?

Options:

A.

NIST 800-53

B.

ISO 27000

C.

CIS18

D.

MITRE ATT&CK

Question 7

There are many resources for assisting with SPL and configuration questions. Which of the following resources feature community-sourced answers?

Options:

A.

Splunk Answers

B.

Splunk Lantern

C.

Splunk Guidebook

D.

Splunk Documentation

Question 8

Which field is automatically added to search results when assets are properly defined and enabled in Splunk Enterprise Security?

Options:

A.

asset_category

B.

src_ip

C.

src_category

D.

user

Question 9

In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?

Options:

A.

Define and Predict

B.

Establish and Architect

C.

Analyze and Report

D.

Implement and Collect

Question 10

After discovering some events that were missed in an initial investigation, an analyst determines this is because some events have an empty src field. Instead, the required data is often captured in another field called machine_name.

What SPL could they use to find all relevant events across either field until the field extraction is fixed?

Options:

A.

| eval src = coalesce(src,machine_name)

B.

| eval src = src + machine_name

C.

| eval src = src . machine_name

D.

| eval src = tostring(machine_name)

Question 11

Which of the following is a correct Splunk search that will return results in the most performant way?

Options:

A.

index=foo host=i-478619733 | stats range(_time) as duration by src_ip | bin duration span=5min | stats count by duration, host

B.

| stats range(_time) as duration by src_ip | index=foo host=i-478619733 | bin duration span=5min | stats count by duration, host

C.

index=foo host=i-478619733 | transaction src_ip |stats count by host

D.

index=foo | transaction src_ip |stats count by host | search host=i-478619733

Question 12

While testing the dynamic removal of credit card numbers, an analyst lands on using therexcommand. What mode needs to be set to in order to replace the defined values with X?

| makeresults

| eval ccnumber="511388720478619733"

| rex field=ccnumber mode=???"s/(\d{4}-){3)/XXXX-XXXX-XXXX-/g"

Please assume that the aboverexcommand is correctly written.

Options:

A.

sed

B.

replace

C.

mask

D.

substitute

Question 13

A threat hunter executed a hunt based on the following hypothesis:

As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.

Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company’s environment.

Which of the following best describes the outcome of this threat hunt?

Options:

A.

The threat hunt was successful because the hypothesis was not proven.

B.

The threat hunt failed because the hypothesis was not proven.

C.

The threat hunt failed because no malicious activity was identified.

D.

The threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.

Question 14

A threat hunter generates a report containing the list of users who have logged in to a particular database during the last 6 months, along with the number of times they have each authenticated. They sort this list and remove any user names who have logged in more than 6 times. The remaining names represent the users who rarely log in, as their activity is more suspicious. The hunter examines each of these rare logins in detail.

This is an example of what type of threat-hunting technique?

Options:

A.

Least Frequency of Occurrence Analysis

B.

Co-Occurrence Analysis

C.

Time Series Analysis

D.

Outlier Frequency Analysis

Question 15

An analyst is attempting to investigate a Notable Event within Enterprise Security. Through the course of their investigation they determined that the logs and artifacts needed to investigate the alert are not available.

What event disposition should the analyst assign to the Notable Event?

Options:

A.

Benign Positive, since there was no evidence that the event actually occurred.

B.

False Negative, since there are no logs to prove the activity actually occurred.

C.

True Positive, since there are no logs to prove that the event did not occur.

D.

Other, since a security engineer needs to ingest the required logs.

Question 16

An analyst would like to test how certain Splunk SPL commands work against a small set of data. What command should start the search pipeline if they wanted to create their own data instead of utilizing data contained within Splunk?

Options:

A.

makeresults

B.

rename

C.

eval

D.

stats

Question 17

An analyst is looking at Web Server logs, and sees the following entry as the last web request that a server processed before unexpectedly shutting down:

147.186.119.107 - - [28/Jul/2006:10:27:10 -0300] "POST /cgi-bin/shutdown/ HTTP/1.0" 200 3333

What kind of attack is most likely occurring?

Options:

A.

Distributed denial of service attack.

B.

Denial of service attack.

C.

Database injection attack.

D.

Cross-Site scripting attack.

Question 18

A Cyber Threat Intelligence (CTI) team produces a report detailing a specific threat actor’s typical behaviors and intent. This would be an example of what type of intelligence?

Options:

A.

Operational

B.

Executive

C.

Tactical

D.

Strategic

Question 19

An organization is using Risk-Based Alerting (RBA). During the past few days, a user account generated multiple risk observations. Splunk refers to this account as what type of entity?

Options:

A.

Risk Factor

B.

Risk Index

C.

Risk Analysis

D.

Risk Object

Demo: 19 questions
Total 66 questions