nerdexam
Splunk

SPLK-5002 · Question #6

SPLK-5002 Question #6: Real Exam Question with Answer & Explanation

The correct answer is A. | eval annotations.mitre_attack.mitre_technique_id="T1027". To associate a MITRE ATT&CK® technique with a correlation search that does not use the Risk data model, the correct approach is to append an eval statement that sets the annotation field. The correct syntax is | eval annotations.mitre_attack.mitre_technique_id="T1027".

Question

An engineer is writing a correlation search and wants to use T1027 from MITRE ATT&CK® as a field in Incident Review. Assuming they are writing a correlation search that does not use the Risk data model, what example statement should be appended at the end of their correlation search?

Options

  • A| eval annotations.mitre_attack.mitre_technique_id="T1027"
  • B| set annotations.mitre_attack.mitre_technique_id="T1027"
  • C| set field.mitre_attack.mitre_technique_id="T1027"
  • D| eval field.mitre_attack.mitre_technique_id="T1027"

Explanation

To associate a MITRE ATT&CK® technique with a correlation search that does not use the Risk data model, the correct approach is to append an eval statement that sets the annotation field. The correct syntax is | eval annotations.mitre_attack.mitre_technique_id="T1027".

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SPLK-5002 Practice