nerdexam
Splunk

SPLK-5002 · Question #11

SPLK-5002 Question #11: Real Exam Question with Answer & Explanation

The correct answer is B. Create a correlation search to produce notable events for the activity.. To ensure that suspicious activity consistently generates findings in the future, the detection engineer should create a correlation search for the identified activity. This automates detection by continuously monitoring for the same pattern and producing notable events when it o

Question

The threat-hunting team has identified suspicious activity. An analyst manually creates a notable event using an event action to track the activity. How should a detection engineer ensure this activity automatically produces findings in the future?

Options

  • ACreate a SOAR playbook to assign risk modifiers for events matching the activity.
  • BCreate a correlation search to produce notable events for the activity.
  • CCreate a risk modifier for events matching the activity.
  • DCreate a SOAR playbook to identify events matching the activity and assign an urgency.

Explanation

To ensure that suspicious activity consistently generates findings in the future, the detection engineer should create a correlation search for the identified activity. This automates detection by continuously monitoring for the same pattern and producing notable events when it occurs again.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SPLK-5002 Practice