Exam SPLK-5001: Splunk Certified Cybersecurity Defense Analyst
| Exam Number: SPLK-5001 | Length of test: 60 mins |
| Exam Name: Splunk Certified Cybersecurity Defense Analyst | Number of questions in the actual exam: 60 |
| Format: PDF, VPLUS | Passing Score: +75% |
Download practice test questions
| Title | Size | Hits | Download |
|---|---|---|---|
| Splunk.Premium.SPLK-5001.66q - DEMO | 22.80 KB | 38 | Download |
| Splunk.SPLK-5001.by.Wino.40q | 178.53 KB | 39 | Download |
Some questions:
Q
Which of the following use cases is best suited to be a Splunk SOAR Playbook?
A Forming hypothesis for Threat Hunting
B. Visualizing complex datasets.
C. Creating persistent field extractions.
D. Taking containment action on a compromised host
Q
Which of the following is not considered an Indicator of Compromise (IOC)?
A. A specific domain that is utilized for phishing.
B. A specific IP address used in a cyberattack.
C. A specific file hash of a malicious executable.
D. A specific password for a compromised account.
Q
According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?
A. username
B. src_user_id
C. src_user
D. dest_user
Q
The following list contains examples of Tactics, Techniques, and Procedures (TTPs):
1. Exploiting a remote service
2. Lateral movement
3. Use EternalBlue to exploit a remote SMB server
In which order are they listed below?
A. Tactic, Technique, Procedure
B. Procedure, Technique, Tactic
C. Technique, Tactic, Procedure
D. Tactic, Procedure, Technique
Q
An analyst is investigating how an attacker successfully performs a brute-force attack to gain a foothold into an organizations systems. In the course of the investigation the analyst determines that the reason no alerts were generated is because the detection searches were configured to run against Windows data only and excluding any Linux data.
This is an example of what?
A. A True Positive.
B. A True Negative.
C. A False Negative.
D. A False Positive.
Q
An analyst investigates an IDS alert and confirms suspicious traffic to a known malicious IP. What Enterprise Security data model would they use to investigate which process initiated the network connection?
A. Endpoint
B. Authentication
C. Network traffic
D. Web
Q
Which of the following is a best practice for searching in Splunk?
A. Streaming commands run before aggregating commands in the Search pipeline.
B. Raw word searches should contain multiple wildcards to ensure all edge cases are covered.
C. Limit fields returned from the search utilizing the cable command.
D. Searching over All Time ensures that all relevant data is returned.
Q
While testing the dynamic removal of credit card numbers, an analyst lands on using the rex command. What mode needs to be set to in order to replace the defined values with X?
| makeresults
| eval ccnumber=’511388720478619733′
| rex field=ccnumber mode=??? ‘s/(\d{4}-){3)/XXXX-XXXX-XXXX-/g’
Please assume that the above rex command is correctly written.
A. sed
B. replace
C. mask
D. substitute
………….