Splunk SPLK-5001 시험

Question No : 1

When searching in Splunk, which of the following SPL commands can be used to run a subsearch across every field in a wildcard field list?

• A.foreach
• B.rex
• C.makeresults
• D.transaction

답을 확인하기

정답:

Question No : 2

Why is tstats more efficient than stats for large datasets?

• A.tstats is faster since it operates at the beginning of the search pipeline.
• B.tstats is faster since it only looks at indexed metadata, not raw data.
• C.tstats is faster due to its SQL-like syntax.
• D.tstats is faster since it searches raw logs for extracted fields.

답을 확인하기

정답:

Question No : 3

A threat hunter generates a report containing the list of users who have logged in to a particular database during the last 6 months, along with the number of times they have each authenticated. They sort this list and remove any user names who have logged in more than 6 times. The remaining names represent the users who rarely log in, as their activity is more suspicious. The hunter examines each of these rare logins in detail.
This is an example of what type of threat-hunting technique?

• A.Least Frequency of Occurrence Analysis
• B.Co-Occurrence Analysis
• C.Time Series Analysis
• D.Outlier Frequency Analysis

답을 확인하기

정답:

Question No : 4

An analyst would like to test how certain Splunk SPL commands work against a small set of data.
What command should start the search pipeline if they wanted to create their own data instead of utilizing data contained within Splunk?

• A.makeresults
• B.rename
• C.eval
• D.stats

답을 확인하기

정답:

Question No : 5

A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive.
What metric would be used to define the time between alert creation and close of the event?

• A.MTTR (Mean Time to Respond)
• B.MTBF (Mean Time Between Failures)
• C.MTTA (Mean Time to Acknowledge)
• D.MTTD (Mean Time to Detect)

답을 확인하기

정답:

Question No : 6

Which metric would track improvements in analyst efficiency after dashboard customization?

• A.Mean Time to Detect
• B.Mean Time to Respond
• C.Recovery Time
• D.Dwell Time

답을 확인하기

정답:

Question No : 7

A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.
What should they ask their engineer for to make their analysis easier?

• A.Create a field extraction for this information.
• B.Add this information to the risk message.
• C.Create another detection for this information.
• D.Allowlist more events based on this information.

답을 확인하기

정답:

Question No : 8

While the top command is utilized to find the most common values contained within a field, a Cyber Defense Analyst hunts for anomalies.
Which of the following Splunk commands returns the least common values?

• A.least
• B.uncommon
• C.rare
• D.base

답을 확인하기

정답:

Question No : 9

The following list contains examples of Tactics, Techniques, and Procedures (TTPs):
• Exploiting a remote service
• Extend movement
• Use EternalBlue to exploit a remote SMB server
In which order are they listed below?

• A.Tactic, Procedure, Technique
• B.Technique, Tactic, Procedure
• C.Tactic, Technique, Procedure
• D.Procedure, Technique, Tactic

답을 확인하기

정답:

Question No : 10

Which of the following roles is commonly responsible for selecting and designing the infrastructure and tools that a security analyst utilizes to effectively complete their job duties?

• A.Threat Intelligence Analyst
• B.SOC Manager
• C.Security Engineer
• D.Security Architect

답을 확인하기

정답:

Question No : 11

What Splunk feature would enable enriching public IP addresses with ASN and owner information?

• A.Using rex to extract this information at search time.
• B.Using lookup to include relevant information.
• C.Using oval commands to calculate the AS
• D.Using makersanita to add the ASMs to the search.

답을 확인하기

정답:

Question No : 12

What is the first phase of the Continuous Monitoring cycle?

• A.Monitor and Protect
• B.Define and Predict
• C.Assess and Evaluate
• D.Respond and Recover

답을 확인하기

정답:

Question No : 13

What is the main difference between hypothesis-driven and data-driven Threat Hunting?

• A.Data-driven hunts always require more data to search through than hypothesis-driven hunts.
• B.Data-driven hunting tries to uncover activity within an existing data set, hypothesis-driven hunting begins with a potential activity that the hunter thinks may be happening.
• C.Hypothesis-driven hunts are typically executed on newly ingested data sources, while data-driven hunts are not.
• D.Hypothesis-driven hunting tries to uncover activity within an existing data set, data-driven hunting begins with an activity that the hunter thinks may be happening.

답을 확인하기

정답:

Question No : 14

The field file_acl contains access controls associated with files affected by an event.
In which data model would an analyst find this field?

• A.Malware
• B.Alerts
• C.Vulnerabilities
• D.Endpoint

답을 확인하기

정답:

Question No : 15

Which of the following use cases is best suited to be a Splunk SOAR Playbook?

• A.Forming hypothesis for Threat Hunting
• B.Visualizing complex datasets.
• C.Creating persistent field extractions.
• D.Taking containment action on a compromised host

답을 확인하기

정답: