Free Splunk Certified Cybersecurity Defense Analyst Exam SPLK-5001 Exam Practice Test

Which of the following is not considered an Indicator of Compromise (IOC)?

• A specific domain that is utilized for phishing.
• A specific IP address used in a cyberattack.
• A specific file hash of a malicious executable.
• A specific password for a compromised account.

After discovering some events that were missed in an initial investigation, an analyst determines this is because some events have an empty src field. Instead, the required data is often captured in another field called machine_name.What SPL could they use to find all relevant events across either field until the field extraction is fixed?

• | eval src = coalesce(src,machine_name)
• | eval src = src + machine_name
• | eval src = src . machine_name
• | eval src = tostring(machine_name)

What goal of an Advanced Persistent Threat (APT) group aims to disrupt or damage on behalf of a cause?

• Hacktivism
• Cyber espionage
• Financial gain
• Prestige

What is the main difference between hypothesis-driven and data-driven Threat Hunting?

• Data-driven hunts always require more data to search through than hypothesis-driven hunts.
• Data-driven hunting tries to uncover activity within an existing data set, hypothesis-driven hunting begins with a potential activity that the hunter thinks may be happening.
• Hypothesis-driven hunts are typically executed on newly ingested data sources, while data-driven hunts are not.
• Hypothesis-driven hunting tries to uncover activity within an existing data set, data-driven hunting begins with an activity that the hunter thinks may be happening.

How are Notable Events configured in Splunk Enterprise Security?

• During an investigation.
• As part of an audit.
• Via an Adaptive Response Action in a regular search.
• Via an Adaptive Response Action in a correlation search.

When searching in Splunk, which of the following SPL commands can be used to run a subsearch across every field in a wildcard field list?

• foreach
• rex
• makeresults
• transaction

During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?

• Temp directories aren't owned by any particular user, making it difficult to track the process owner when files are executed.
• Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory.
• Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs.
• Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?

• host
• dest
• src_nt_host
• src_ip

Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?

• NIST 800-53
• ISO 27000
• CIS18
• MITRE ATT&CK

An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?

• index=security_logs eventtype=failed_login | eval count as failed_attempts by src_ip | sort - failed_attempts
• index=security_logs eventtype=failed_login | transaction count as failed_attempts by src_ip | sort-failed_attempts
• index=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort - failed_attempts
• index=security_logs eventtype=failed_login | sum count as failed_attempts by src_ip | sort - failed_attempts