New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Splunk SPLK-5001 Splunk Certified Cybersecurity Defense Analyst Exam Practice Test

Page: 1 / 7
Total 66 questions

Splunk Certified Cybersecurity Defense Analyst Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?

Options:

A.

username

B.

src_user_id

C.

src_user

D.

dest_user

Question 2

Which of the Enterprise Security frameworks provides additional automatic context and correlation to fields that exist within raw data?

Options:

A.

Asset and Identity

B.

Threat Intelligence

C.

Adaptive Response

D.

Risk

Question 3

The United States Department of Defense (DoD) requires all government contractors to provide adequate security safeguards referenced in National Institute of Standards and Technology (NIST) 800-171. All DoD contractors must continually reassess, monitor, and track compliance to be able to do business with the US government.

Which feature of Splunk Enterprise Security provides an analyst context for the correlation search mapping to the specific NIST guidelines?

Options:

A.

Comments

B.

Moles

C.

Annotations

D.

Framework mapping

Question 4

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?

Options:

A.

host

B.

dest

C.

src_nt_host

D.

src_ip

Question 5

An analyst is looking at Web Server logs, and sees the following entry as the last web request that a server processed before unexpectedly shutting down:

147.186.119.107 - - [28/Jul/2006:10:27:10 -0300] "POST /cgi-bin/shutdown/ HTTP/1.0" 200 3333

What kind of attack is most likely occurring?

Options:

A.

Distributed denial of service attack.

B.

Denial of service attack.

C.

Database injection attack.

D.

Cross-Site scripting attack.

Question 6

What device typically sits at a network perimeter to detect command and control and other potentially suspicious traffic?

Options:

A.

Host-based firewall

B.

Web proxy

C.

Endpoint Detection and Response

D.

Intrusion Detection System

Question 7

Which of the following is a correct Splunk search that will return results in the most performant way?

Options:

A.

index=foo host=i-478619733 | stats range(_time) as duration by src_ip | bin duration span=5min | stats count by duration, host

B.

| stats range(_time) as duration by src_ip | index=foo host=i-478619733 | bin duration span=5min | stats count by duration, host

C.

index=foo host=i-478619733 | transaction src_ip |stats count by host

D.

index=foo | transaction src_ip |stats count by host | search host=i-478619733

Question 8

What is the main difference between a DDoS and a DoS attack?

Options:

A.

A DDoS attack is a type of physical attack, while a DoS attack is a type of cyberattack.

B.

A DDoS attack uses a single source to target a single system, while a DoS attack uses multiple sources to target multiple systems.

C.

A DDoS attack uses multiple sources to target a single system, while a DoS attack uses a single source to target a single or multiple systems.

D.

A DDoS attack uses a single source to target multiple systems, while a DoS attack uses multiple sources to target a single system.

Question 9

An analyst investigates an IDS alert and confirms suspicious traffic to a known malicious IP. What Enterprise Security data model would they use to investigate which process initiated the network connection?

Options:

A.

Endpoint

B.

Authentication

C.

Network traffic

D.

Web

Question 10

Which of the following is the primary benefit of using the CIM in Splunk?

Options:

A.

It allows for easier correlation of data from different sources.

B.

It improves the performance of search queries on raw data.

C.

It enables the use of advanced machine learning algorithms.

D.

It automatically detects and blocks cyber threats.

Question 11

Which of the following is a best practice when creating performant searches within Splunk?

Options:

A.

Utilize the transaction command to aggregate data for faster analysis.

B.

Utilize Aggregating commands to ensure all data is available prior to Streaming commands.

C.

Utilize specific fields to return only the data that is required.

D.

Utilize multiple wildcards across fields to ensure returned data is complete and available.

Question 12

Which field is automatically added to search results when assets are properly defined and enabled in Splunk Enterprise Security?

Options:

A.

asset_category

B.

src_ip

C.

src_category

D.

user

Question 13

What is the following step-by-step description an example of?

1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document.

2. The attacker creates a unique email with the malicious document based on extensive research about their target.

3. When the victim opens this document, a C2 channel is established to the attacker’s temporary infrastructure on a compromised website.

Options:

A.

Tactic

B.

Policy

C.

Procedure

D.

Technique

Question 14

Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?

Options:

A.

CASE()

B.

LIKE()

C.

FORMAT ()

D.

TERM ()

Question 15

An organization is using Risk-Based Alerting (RBA). During the past few days, a user account generated multiple risk observations. Splunk refers to this account as what type of entity?

Options:

A.

Risk Factor

B.

Risk Index

C.

Risk Analysis

D.

Risk Object

Question 16

An analyst is examining the logs for a web application’s login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates that these credentials may have been compiled by combining account information from several recent data breaches.

Which type of attack would this be an example of?

Options:

A.

Credential sniffing

B.

Password cracking

C.

Password spraying

D.

Credential stuffing

Question 17

When searching in Splunk, which of the following SPL commands can be used to run a subsearch across every field in a wildcard field list?

Options:

A.

foreach

B.

rex

C.

makeresults

D.

transaction

Question 18

The Lockheed Martin Cyber Kill Chain® breaks an attack lifecycle into several stages. A threat actor modified the registry on a compromised Windows system to ensure that their malware would automatically run at boot time. Into which phase of the Kill Chain would this fall?

Options:

A.

Act on Objectives

B.

Exploitation

C.

Delivery

D.

Installation

Question 19

Which of the following data sources can be used to discover unusual communication within an organization’s network?

Options:

A.

EDS

B.

Net Flow

C.

Email

D.

IAM

Page: 1 / 7
Total 66 questions