SPLK-5002 Exam Questions

What is Enterprise Security's default way of determining the urgency of a finding (notable event)?

Which of the following should be the primary reference when designing a new playbook in Splunk SOAR?

In Enterprise Security, what is the name of the threat intelligence lookup pertaining to files?

The SOC manager has a desire to measure mean time to acknowledge findings (notable events) in order to meet a desired service level objective. Which two fields can be used to measu...

An engineer has discovered that an acquired company uses a duplicate IP address space. Which feature of the asset and identity framework could be turned on that would allow for the...

The following SPL is designed to report on a certain SOC metric. Which metric is the most likely topic for this report?

Which Splunk feature makes SPL searches shorter and reusable by inserting it into search strings?

An EDR tool was recently purchased and needs to be integrated into existing Splunk SOAR playbooks. Which actions are typically associated with this type of asset?

Which phase of the incident response lifecycle would cause the least amount of friction when replacing manual steps with automation?

What must be configured as a setting in a correlation search for a notable to be generated?

An engineer is examining a correlation search as a part of a detection review, and sees that it is configured in the following fashion: Which of the following is true about this co...

Engineers are commonly asked to turn data sources like EDR alerts into risk events. Doing so requires a dynamic mapping of the signatures in the rule to MITRE ATT&CK®. Which of the...

There are multiple methods for communicating data with a REST Endpoint. In the above screenshot what is the name of the key value pairs represented after the question mark in the U...

A threat actor group has begun a campaign that is relevant to an organization. How can the organization's engineer raise the risk score for corresponding intelligence matches in th...

The Director of Security would like to understand the operational efficiency of the SOC analysts at a high level. What is a metric that can be used to determine their efficiency?

Which of the following is a reason to utilize ES risk framework as a part of detection building?

When creating a case in Splunk SOAR, which action should be taken to correlate various findings (risk notables) to ensure all are actioned?

Consider the following series of events: 4:00 GMT Detection runs for interval 3:30-4:00 4:30 GMT Detection runs for interval 4:00-4:30 4:35 GMT Event 1 occurs on an endpoint 4:45 G...

An effective method for building automation workflows is to follow the OODA (Observe, Orient, Decide, Act) loop stages. When transitioning between the Decide and Act stages, what a...

What is the best method to operationalize the results of a threat hunt for daily use by SOC analysts?

How can an engineer verify if results will return for a potential detection based on historical events within the organization?

Which of the following is not a type of metadata that can be returned by the metadata command?

MITRE D3FENDTM is designed to compliment MITRE's list of adversarial tactics, techniques, and common knowledge (ATT&CK®). Which tactics are associated with MITRE D3FENDTM in order...

Below is an example of a sysmon process create log. Which EventCode would be associated to this log entry?

Based on a recent red team exercise, an organization is highly concerned about pass the hash attacks especially including tools like Empire. Which EventСode associated to PowerShel...

When developing security metrics, why would a Key Performance Indicator (KPI) that focuses on total perimeter firewall blocks be an ineffective metric?

Which stash event field created by an adaptive response action allows for troubleshooting the correlation search that created the notable event?

An engineer needs to create a new report capturing the vendors and products that detect a particular CVE in their environment. How can they ensure that their search associated with...

Which of the following identifies elements of the Detection Development Lifecyle (DDLC)?

The SOC notices over the course of an investigation there are numerous logs like the following: 14-Apr-2024 20:16:49.083 client 15.111.116.918*18345 UDP: query: reallybad.c2.com IN...

When setting Common Information Model (CIM) accelerations, which parameter should be defined to set how far back in time (specified as a relative time string) the Splunk platform c...

When creating a new playbook to be called directly from Mission Control or Enterprise Security, which type of playbook must be used?

What does the following search do?

An engineer has been asked to build a new dashboard after an increase in login failures across the organization's Microsoft Azure domain. They need to construct a search to only di...

A cyber defense engineer plays a role in maintaining a secure SOAR Cloud configuration. Which network security statement is correct about SOAR Cloud?

When building detections using the Authentication Data Model, which values are recommended for use against the actions field?

Which Enterprise Security components provide enrichment to the Risk Framework?

What is the primary purpose of data indexing in Splunk?

Which features are crucial for validating integrations in Splunk SOAR? (Choose three)

How can you incorporate additional context into notable events generated by correlation searches?

What is the primary purpose of correlation searches in Splunk?

Which practices strengthen the development of Standard Operating Procedures (SOPs)? (Choose three)

A new playbook needs to be developed for automated phishing analysis and response. Configured in SOAR are integrations with Splunk Enterprise Security and actions from assets that...

Which of the following macro values will exclude all of the company networks if it is called from the following search? index=firewall sourcetype=pan:traffic NOT "company_networks"

Risk scores are associated with how many levels of risk in Enterprise Security by default?

While working with the SOC analysts to review current contextualization processes, a request for automation has been raised by the SOC team. They are asking for a new automation th...

What is one method used in ESCU content to calculate a risk score when creating a detection that uses the Risk Analysis adaptive response action?

Lookups append fields from an external source to events based on the values of fields that are already present in those events. What are the four supported lookup types?

When creating a detection, how might an engineer ensure that all possible contextual fields about a given asset and identity are added to a risk event?

Which of the following is a reason to utilize an index-based search (index=...) over a data model search (| tstats...) in a detection?