SPLK-5001 Exam Questions

Which of the Enterprise Security frameworks provides additional automatic context and correlation to fields that exist within raw data?

What do frameworks and standards help accomplish in the cybersecurity landscape?

When should adaptive response actions be used in threat hunting?

How are SOAR playbooks used in threat hunting?

Which Splunk resource provides pre-built content for assessing data sources and threat intelligence capabilities?

How does Splunk Enterprise Security (ES) interact with Common Information Model (CIM) and Data Models?

In the context of cybersecurity, what does the term "SIEM" stand for?

What is the recommended approach when handling a security incident?

In Splunk SPL, which command is used to filter and group results based on specific fields?

Which of the following are correct statements about Splunk Enterprise Security annotations?

What is the main difference between a Denial of Service (DoS) attack and a Distributed Denial of Service (DDoS) attack?

Which Enterprise Security framework provides a mechanism for running preconfigured actions within the Splunk platform or integrating with external applications?

Which of the following Splunk Enterprise Security features allows industry frameworks such as CIS Critical Security Controls, MITRE ATT&CK, and the Lockheed Martin Cyber Kill Chain...

Which of the following is the primary benefit of using the CIM in Splunk?

Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?

A threat hunter executed a hunt based on the following hypothesis: As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Comman...

An analyst notices that one of their servers is sending an unusually large amount of traffic, gigabytes more than normal, to a single system on the Internet. There doesn't seem to...

In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?

An analyst is not sure that all of the potential data sources at her company are being correctly or completely utilized by Splunk and Enterprise Security. Which of the following mi...

An analyst is examining the logs for a web application's login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates...

An analysis of an organization's security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who wo...

After discovering some events that were missed in an initial investigation, an analyst determines this is because some events have an empty src field. Instead, the required data is...

An analyst would like to test how certain Splunk SPL commands work against a small set of data. What command should start the search pipeline if they wanted to create their own dat...

What is the following step-by-step description an example of? 1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document. 2. The atta...

Which of the following is a best practice when creating performant searches within Splunk?

Which pre-packaged app delivers security content and detections on a regular, ongoing basis for Enterprise Security and SOAR?

A user wants to view only the use cases for which the Splunk instance has all of the supporting source types to implement. In Splunk Security Essentials, what operation needs to ha...

An analyst is looking for known C2 communication in a few billion NetFlow records, using a query similar to the following: index=network sourcetype=netflow src_ip=149.151.100.4 src...

A PCAP file contains what type of data?

Which of the TTP elements represent the adversary's goal - the reason for performing an action?

Which Splunk search mode is best for searches that contain commands such as chart, timechart, and top, but the analyst still wants results in the events tab?

Which of the following Splunk terms describes a group of standard field names and values that categorize data in a way that makes it easier to work with, especially when dealing wi...

Which of the following terms is associated with the behavior of a threat actor and a structured framework for executing a cyberattack, and defines why an attacker is performing an...

In SPL, streaming commands operate on each individual event. There are two types of streaming commands: distributable and centralized. Which of the following statements is true abo...

An analyst discovers she has only raw data from a source. She believes that it could be of great value to future analysis efforts if it were available to existing correlation searc...

Which Security Domain in Enterprise Security contains the dashboards that include vulnerability information generated by vulnerability scanners, next-generation firewalls, and othe...

An attacker impersonating a bank employee calls a user in an attempt to gain access to their account. What type of attack was used in this scenario?

Associated with the behavior of a threat actor and a structured framework for executing a cyberattack, which of the following terms defines exactly how a threat actor achieves a ta...

What is the name of the threat-hunting technique that involves identifying data points that are least like the other points in a dataset?

Long-tail analysis is a threat-hunting technique used for which of the following?

Which SPL syntax would be used to perform statistical queries on indexed fields to calculate the cumulative total risk by the system or user in the most efficient way?

A user reports to the Security Operations Center (SOC) that the following screen is displayed on their computer: Which of the following source types would be most useful for the SO...

In Splunk, what feature would an analyst leverage to drilldown on an IP address field to query third-party intelligence for that IP?

An analyst needs to send notification emails after investigating a particular type of finding. Which feature should they ask an engineer to enable that will allow them to do so dir...

What feature of Splunk Security Essentials (SSE) allows an analyst to see a listing of current on- boarded data sources in Splunk so they can view content based on available data?

Why is the tstats command generally more efficient than using a stats command when searching over large data sets?

Enterprise Security has been configured to generate a Notable Event when a user has quickly authenticated from multiple locations between which travel would be impossible. This wou...

A threat hunter creates a model of normal, expected activity on a portion of their network. Later, they compare observed activity against this model, looking for significant deviat...

Which Splunk Enterprise Security framework provides a way to identify incidents from events and then manage the ownership, triage process, and state of those incidents?

Which of the following is not considered a type of default metadata in Splunk?