Winter Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: v4s65

SPLK-5001 Exam Dumps - Splunk Certified Cybersecurity Defense Analyst

Question # 4

In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?

A.

Define and Predict

B.

Establish and Architect

C.

Analyze and Report

D.

Implement and Collect

Full Access
Question # 5

What is the following step-by-step description an example of?

1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document.

2. The attacker creates a unique email with the malicious document based on extensive research about their target.

3. When the victim opens this document, a C2 channel is established to the attacker’s temporary infrastructure on a compromised website.

A.

Tactic

B.

Policy

C.

Procedure

D.

Technique

Full Access
Question # 6

Which of the following Splunk Enterprise Security features allows industry frameworks such as CIS Critical Security Controls, MITRE ATT&CK, and the Lockheed Martin Cyber Kill Chain® to be mapped to Correlation Search results?

A.

Annotations

B.

Playbooks

C.

Comments

D.

Enrichments

Full Access
Question # 7

The United States Department of Defense (DoD) requires all government contractors to provide adequate security safeguards referenced in National Institute of Standards and Technology (NIST) 800-171. All DoD contractors must continually reassess, monitor, and track compliance to be able to do business with the US government.

Which feature of Splunk Enterprise Security provides an analyst context for the correlation search mapping to the specific NIST guidelines?

A.

Comments

B.

Moles

C.

Annotations

D.

Framework mapping

Full Access
Question # 8

An analyst is investigating how an attacker successfully performs a brute-force attack to gain a foothold into an organizations systems. In the course of the investigation the analyst determines that the reason no alerts were generated is because the detection searches were configured to run against Windows data only and excluding any Linux data.

This is an example of what?

A.

A True Positive.

B.

A True Negative.

C.

A False Negative.

D.

A False Positive.

Full Access
Question # 9

Which pre-packaged app delivers security content and detections on a regular, ongoing basis for Enterprise Security and SOAR?

A.

SSE

B.

ESCU

C.

Threat Hunting

D.

InfoSec

Full Access
Question # 10

Which of the following data sources can be used to discover unusual communication within an organization’s network?

A.

EDS

B.

Net Flow

C.

Email

D.

IAM

Full Access
Question # 11

An analyst would like to visualize threat objects across their environment and chronological risk events for a Risk Object in Incident Review. Where would they find this?

A.

Running the Risk Analysis Adaptive Response action within the Notable Event.

B.

Via a workflow action for the Risk Investigation dashboard.

C.

Via the Risk Analysis dashboard under the Security Intelligence tab in Enterprise Security.

D.

Clicking the risk event count to open the Risk Event Timeline.

Full Access
Question # 12

An analyst is examining the logs for a web application’s login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates that these credentials may have been compiled by combining account information from several recent data breaches.

Which type of attack would this be an example of?

A.

Credential sniffing

B.

Password cracking

C.

Password spraying

D.

Credential stuffing

Full Access
Question # 13

A threat hunter executed a hunt based on the following hypothesis:

As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.

Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company’s environment.

Which of the following best describes the outcome of this threat hunt?

A.

The threat hunt was successful because the hypothesis was not proven.

B.

The threat hunt failed because the hypothesis was not proven.

C.

The threat hunt failed because no malicious activity was identified.

D.

The threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.

Full Access
Question # 14

The Lockheed Martin Cyber Kill Chain® breaks an attack lifecycle into several stages. A threat actor modified the registry on a compromised Windows system to ensure that their malware would automatically run at boot time. Into which phase of the Kill Chain would this fall?

A.

Act on Objectives

B.

Exploitation

C.

Delivery

D.

Installation

Full Access
Question # 15

An analyst is looking at Web Server logs, and sees the following entry as the last web request that a server processed before unexpectedly shutting down:

147.186.119.107 - - [28/Jul/2006:10:27:10 -0300] "POST /cgi-bin/shutdown/ HTTP/1.0" 200 3333

What kind of attack is most likely occurring?

A.

Distributed denial of service attack.

B.

Denial of service attack.

C.

Database injection attack.

D.

Cross-Site scripting attack.

Full Access
Question # 16

Splunk Enterprise Security has numerous frameworks to create correlations, integrate threat intelligence, and provide a workflow for investigations. Which framework raises the threat profile of individuals or assets to allow identification of people or devices that perform an unusual amount of suspicious activities?

A.

Threat Intelligence Framework

B.

Risk Framework

C.

Notable Event Framework

D.

Asset and Identity Framework

Full Access
Question # 17

When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?

A.

| sort by user | where count > 1000

B.

| stats count by user | where count > 1000 | sort - count

C.

| top user

D.

| stats count(user) | sort - count | where count > 1000

Full Access
Question # 18

While the top command is utilized to find the most common values contained within a field, a Cyber Defense Analyst hunts for anomalies. Which of the following Splunk commands returns the least common values?

A.

least

B.

uncommon

C.

rare

D.

base

Full Access
Question # 19

Which of the following is a best practice when creating performant searches within Splunk?

A.

Utilize the transaction command to aggregate data for faster analysis.

B.

Utilize Aggregating commands to ensure all data is available prior to Streaming commands.

C.

Utilize specific fields to return only the data that is required.

D.

Utilize multiple wildcards across fields to ensure returned data is complete and available.

Full Access