312-39 · Question #166
312-39 Question #166: Real Exam Question with Answer & Explanation
The correct answer is B. index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) .. .. ... ComprehensiveDetailedStepbyStepExplanation: InWindowssecurityeventlogs,EventCode4688si gnifiesaprocesscreationevent.TheSplunkquery‘index=windowsLogName=SecurityEventCode=4688N OT(AccountN ame= )is used to fetch logs related to process creation activities. This query filters the l
Question
Options
- Aindex=windows LogName=Security EventCode=4678 NOT (Account_Name=*$) .. .. ... ..
- Bindex=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) .. .. ..
- Cindex=windows LogName=Security EventCode=3688 NOT (Account_Name=*$) .. .. ..
- Dindex=windows LogName=Security EventCode=5688 NOT (Account_Name=*$) ... ... ...
Explanation
ComprehensiveDetailedStepbyStepExplanation: InWindowssecurityeventlogs,EventCode4688si gnifiesaprocesscreationevent.TheSplunkquery‘index=windowsLogName=SecurityEventCode=4688N OT(AccountN ame= )is used to fetch logs related to process creation activities. This query filters the logs to only show events where a new process has been created, which is indicated by EventCode 4688. TheNOT (Account_Name=$)` part of the query excludes any events where the account name ends with a dollar sign, which typically represents a machine or service account. security operation center (SOC) operations, including log management and correlation, SIEM deployment, advanced incident detection, and incident response. The CSA course materials and study guides cover the use of Splunk for monitoring and analyzing security events, which would include the creation of such queries for process creation monitoring1 t/5a3187b4419202f0fb8b2dd1/1513195444728/Windows+Splunk+Logging+Cheat+Sheet+v2.2.pdf
Community Discussion
No community discussion yet for this question.