SPLK-5001 Exam Questions

During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?

An analyst would like to visualize threat objects across their environment and chronological risk events for a Risk Object in Incident Review. Where would they find this?

A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events a...

What device typically sits at a network perimeter to detect command and control and other potentially suspicious traffic?

Upon investigating a report of a web server becoming unavailable, the security analyst finds that the web server's access log has the same log entry millions of times: 147.186.119....

According to David Bianco's Pyramid of Pain, which indicator type is least effective when used in continuous monitoring?

An analysis of an organization's security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who wo...

Which of the following is a correct Splunk search that will return results in the most performant way?

There are many resources for assisting with SPL and configuration questions. Which of the following resources feature community-sourced answers?

A successful Continuous Monitoring initiative involves the entire organization. When an analyst discovers the need for more context or additional information, perhaps from addition...

Splunk Enterprise Security has numerous frameworks to create correlations, integrate threat intelligence, and provide a workflow for investigations. Which framework raises the thre...

While the top command is utilized to find the most common values contained within a field, a Cyber Defense Analyst hunts for anomalies. Which of the following Splunk commands retur...

The Lockheed Martin Cyber Kill Chain?breaks an attack lifecycle into several stages. A threat actor modified the registry on a compromised Windows system to ensure that their malwa...

A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define...

An analyst needs to create a new field at search time. Which Splunk command will dynamically extract additional fields as part of a Search pipeline?

Which of the following is considered Personal Data under GDPR?

What goal of an Advanced Persistent Threat (APT) group aims to disrupt or damage on behalf of a cause?

A Cyber Threat Intelligence (CTI) team produces a report detailing a specific threat actor's typical behaviors and intent. This would be an example of what type of intelligence?

An analyst is building a search to examine Windows XML Event Logs, but the initial search is not returning any extracted fields. Based on the above image, what is the most likely c...

An organization is using Risk-Based Alerting (RBA). During the past few days, a user account generated multiple risk observations. Splunk refers to this account as what type of ent...

When searching in Splunk, which of the following SPL commands can be used to run a subsearch across every field in a wildcard field list?

How are Notable Events configured in Splunk Enterprise Security?

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of t...

Which of the following data sources can be used to discover unusual communication within an organization's network?

When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?

The United States Department of Defense (DoD) requires all government contractors to provide adequate security safeguards referenced in National Institute of Standards and Technolo...

An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attem...

The field file_acl contains access controls associated with files affected by an event. In which data model would an analyst find this field?

A threat hunter generates a report containing the list of users who have logged in to a particular database during the last 6 months, along with the number of times they have each...

What is the main difference between hypothesis-driven and data-driven Threat Hunting?

The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which exi...

What is the main difference between a DDoS and a DoS attack?

A Cyber Threat Intelligence (CTI) team delivers a briefing to the CISO detailing their view of the threat landscape the organization faces. This is an example of what type of Threa...

Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as mino...

Which field is automatically added to search results when assets are properly defined and enabled in Splunk Enterprise Security?

An IDS signature is designed to detect and alert on logins to a certain server, but only if they occur from 6:00 PM - 6:00 AM. If no IDS alerts occur in this window, but the signat...

Which of the following is not a component of the Splunk Security Content library (ESCU, SSE)?

The eval SPL expression supports many types of functions. Which of these function categories is not valid with eval?

Which of the following is a tactic used by attackers, rather than a technique?

Which stage of continuous monitoring involves adding data, creating detections, and building drilldowns?

An analyst is investigating how an attacker successfully performs a brute-force attack to gain a foothold into an organizations systems. In the course of the investigation the anal...

An analyst investigates an IDS alert and confirms suspicious traffic to a known malicious IP. What Enterprise Security data model would they use to investigate which process initia...

Which of the following is a best practice for searching in Splunk?

While testing the dynamic removal of credit card numbers, an analyst lands on using the rex command. What mode needs to be set to in order to replace the defined values with X? | m...

Which of the following use cases is best suited to be a Splunk SOAR Playbook?

Which of the following is not considered an Indicator of Compromise (IOC)?

According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?

The following list contains examples of Tactics, Techniques, and Procedures (TTPs): 1. Exploiting a remote service 2. Lateral movement 3. Use EternalBlue to exploit a remote SMB se...

An analyst is attempting to investigate a Notable Event within Enterprise Security. Through the course of their investigation they determined that the logs and artifacts needed to...

An analyst is looking at Web Server logs, and sees the following entry as the last web request that a server processed before unexpectedly shutting down: 147.186.119.107 - - [28/Ju...