SPLK-5002 Exam Questions

Which Splunk Enterprise Security add-on facilitates the ingestion of Threat Intelligence data?

In a Risk-Based Alerting implementation with Splunk Enterprise Security, which of the following best describes a risk factor?

In a contextualization playbook, a URL is transmitted to a sandbox for examination and disposition recommendation. What underlying HTTP method is used to transmit this data to the...

What provides consistency for data mapping applied to data model and saved search exports between Splunk Enterprise Security and Splunk SOAR?

Which tool can help provide a baseline of the data sources in a given Splunk environment?

An engineer is writing a correlation search and wants to use T1027 from MITRE ATT&CK® as a field in Incident Review. Assuming they are writing a correlation search that does not us...

An automation engineer for the Wonderland SOC, has configured a new asset and is getting an HTTP 403 response code. Which of the following is the possible cause of this error code?

Which of the following is a methodology to help prevent malicious lateral movement?

How does Mission Control decipher which response template to assign to findings?

For detections that leverage a CIM data model, which aspect of the configuration is responsible for determining which indexes are being searched?

The threat-hunting team has identified suspicious activity. An analyst manually creates a notable event using an event action to track the activity. How should a detection engineer...

A detection engineer is using a threat defense informed strategy to define use cases. Which Splunk app would best facilitate their use case development process by cross referencing...

What can an engineer use to capture contextual values from a dashboard and create a drilldown to link to a new search?

A corporate laptop was disconnected from the internet Friday at 5PM local time. While offline, the user unknowingly opened a malicious file. The laptop came back online the followi...

Which of the following detections would use a high count of events with Windows Event Code 4740 grouped by a user to determine suspicious behavior?

A SOC's Incident Response Standard Operating Procedure (SOP) calls for any phishing emails containing files to be detonated in Splunk Attack Analyzer for evaluation. Which of the f...

Which fields are used to determine asset priority, when priority is assigned through an asset and identity lookup?

What framework in Enterprise Security allows engineers to build detections using known malicious IOCs comparing them to event logs to find suspicious behavior?

Which of the following can process data from configured containers using an automated sequence of actions?

A Detection Engineer works closely with SOC leads to define expected analyst workflows, often documented as a Standard Operating Procedure (SOP). Which capability can be used to do...

What document can be helpful in understanding the prioritization of risk when comparing entities in an organization?

Which of the following cURL commands would allow an engineer to effectively disable the REST API endpoint they've been utilizing for testing a detection named TestSearchDevelopment...

An engineer wants to track and report on all authentication to corporate assets, and wants to prioritize critical assets without significantly increasing the number of findings (no...

In the context of Splunk's Common Information Model (CIM), which constraint ensures that events from different data sources appear in the applicable data model?

Which tool can help identify known tactics, techniques, and procedures that a threat group is most likely to use when targeting a financial organization?

Based on the provided screenshot, it's discovered that different machines or accounts have been associated with the shown threat objects. Enterprise Security has identified that th...

An engineer notices that a detection is creating multiple findings (notables) for the same potential incident. Which setting can be adjusted to reduce the number of generated findi...

Which of the following should an engineer do as they evaluate their Threat Detection and Incident Response lifecycle?

Which of the following is the most efficient search to return a list of all visible indexes and the sourcetypes contained within them?

When creating a detection that searches user activity across CIM-compliant data, which CIM field should be reviewed to ensure that data is aggregated appropriately?

The SOC Manager requested a better method to standardize the list of tasks that analysts follow when they evaluate events or cases. Which Splunk SOAR feature allows the creation of...

Which type of correlation search reviews the events in the risk index and uses an aggregation of events impacting a single risk object to generate risk notables?

One of the goals of a detection engineer is to facilitate the triage process by providing the analyst as much context as possible. One way of accomplishing this is to provide conte...

Which of the following traces specific stages of an attack lifecycle?

An engineer adds a custom event status of 'Testing' and accidentally makes it the new default status. Their SOC calculates some metrics based on Notable status change sequences, st...

While working in Mission Control, an analyst is looking to add enrichment and contextualize the finding that is being worked. If they were to click the execute icon next to the "Mi...

An engineer has been working on building a new automation for the SOC. What Scope should be selected in the SOAR Playbook Debugger during the playbook development to ensure consist...

Which syntax is correct to create two new rows on an existing threat intelligence collection?

An engineer creates a new event type. What defines the association of this event type to an applicable data model?

In order to perform a complete data assessment, an engineer's role within Splunk must have which of the following?

The below search is used to tabulate the Risk Score by Entity. What is incorrect about this search?

Based on this example image, if it is detected that a member has been added to a security- enabled local group, how many risk events will be created?

Which of the following actions will allow access to a list of alert actions via the API?

Utilizing a Standard Operating Procedure (SOP) is an effective way to ensure that analysts are responding to generated findings in a consistent and analytical manner. Where is the...

What external support consideration should an engineer account for if they plan to automate the disabling of a system or user?

When creating detections, which of the following sequences would result in the most performant SPL query?

When should a detection be reviewed or retuned after deployment?

If a correlation search cannot be run at the configured time, which scheduling option should an engineer use to ensure there are no backfill gaps in data?

Which search command was used to generate the result in the image below?

What cardinality of data should be used in an indexed field to optimize and speed up searches?