Which Enterprise Security framework provides a mechanism for running preconfigured actions within the Splunk platform or integrating with external applications?
- A . Asset and Identity
- B . Notable Event
- C . Threat Intelligence
- D . Adaptive Response
Which of the following Splunk Enterprise Security features allows industry frameworks such as CIS Critical Security Controls, MITRE ATT&CK, and the Lockheed Martin Cyber Kill Chain® to be mapped to Correlation Search results?
- A . Annotations
- B . Playbooks
- C . Comments
- D . Enrichments
Which of the following is the primary benefit of using the CIM in Splunk?
- A . It allows for easier correlation of data from different sources.
- B . It improves the performance of search queries on raw data.
- C . It enables the use of advanced machine learning algorithms.
- D . It automatically detects and blocks cyber threats.
Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers.
In which framework are these categorized?
- A . NIST 800-53
- B . ISO 27000
- C . CIS18
- D . MITRE ATT&CK
A threat hunter executed a hunt based on the following hypothesis:
As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.
Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company’s environment.
Which of the following best describes the outcome of this threat hunt?
- A . The threat hunt was successful because the hypothesis was not proven.
- B . The threat hunt failed because the hypothesis was not proven.
- C . The threat hunt failed because no malicious activity was identified.
- D . The threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.
An analyst notices that one of their servers is sending an unusually large amount of traffic, gigabytes more than normal, to a single system on the Internet. There doesn’t seem to be any associated increase in incoming traffic.
What type of threat actor activity might this represent?
- A . Data exfiltration
- B . Network reconnaissance
- C . Data infiltration
- D . Lateral movement
In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?
- A . Define and Predict
- B . Establish and Architect
- C . Analyze and Report
- D . Implement and Collect
An analyst is not sure that all of the potential data sources at her company are being correctly or completely utilized by Splunk and Enterprise Security.
Which of the following might she suggest using, in order to perform an analysis of the data types available and some of their potential security uses?
- A . Splunk ITSI
- B . Security Essentials
- C . SOAR
- D . Splunk Intelligence Management
During their shift, an analyst receives an alert about an executable being run from C:WindowsTemp.
Why should this be investigated further?
- A . Temp directories aren’t owned by any particular user, making it difficult to track the process owner when files are executed.
- B . Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory.
- C . Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs.
- D . Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.
An analyst would like to visualize threat objects across their environment and chronological risk events for a Risk Object in Incident Review. Where would they find this?
- A . Running the Risk Analysis Adaptive Response action within the Notable Event.
- B . Via a workflow action for the Risk Investigation dashboard.
- C . Via the Risk Analysis dashboard under the Security Intelligence tab in Enterprise Security.
- D . Clicking the risk event count to open the Risk Event Timeline.
A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.
What should they ask their engineer for to make their analysis easier?
- A . Create a field extraction for this information.
- B . Add this information to the risk message.
- C . Create another detection for this information.
- D . Allowlist more events based on this information.
What device typically sits at a network perimeter to detect command and control and other potentially suspicious traffic?
- A . Host-based firewall
- B . Web proxy
- C . Endpoint Detection and Response
- D . Intrusion Detection System
What device typically sits at a network perimeter to detect command and control and other potentially suspicious traffic?
- A . Host-based firewall
- B . Web proxy
- C . Endpoint Detection and Response
- D . Intrusion Detection System
186.119.200 – – [28/Jul/2023:12:04:13 -0300] "GET /login/ HTTP/1.0" 200 3733 What kind of attack is occurring?
- A . Denial of Service Attack
- B . Distributed Denial of Service Attack
- C . Cross-Site Scripting Attack
- D . Database Injection Attack
According to David Bianco’s Pyramid of Pain, which indicator type is least effective when used in continuous monitoring?
- A . Domain names
- B . TTPs
- C . NetworM-lost artifacts
- D . Hash values
An analysis of an organization’s security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of implementing the new process or solution that was selected?
- A . Security Architect
- B . SOC Manager
- C . Security Engineer
- D . Security Analyst
Which of the following is a correct Splunk search that will return results in the most performant way?
- A . index=foo host=i-478619733 | stats range(_time) as duration by src_ip | bin duration span=5min | stats count by duration, host
- B . | stats range(_time) as duration by src_ip | index=foo host=i-478619733 | bin duration span=5min | stats count by duration, host
- C . index=foo host=i-478619733 | transaction src_ip |stats count by host
- D . index=foo | transaction src_ip |stats count by host | search host=i-478619733
There are many resources for assisting with SPL and configuration questions.
Which of the following resources feature community-sourced answers?
- A . Splunk Answers
- B . Splunk Lantern
- C . Splunk Guidebook
- D . Splunk Documentation
A successful Continuous Monitoring initiative involves the entire organization.
When an analyst discovers the need for more context or additional information, perhaps from additional data sources or altered correlation rules, to what role would this request generally escalate?
- A . SOC Manager
- B . Security Analyst
- C . Security Engineer
- D . Security Architect
Splunk Enterprise Security has numerous frameworks to create correlations, integrate threat intelligence, and provide a workflow for investigations.
Which framework raises the threat profile of individuals or assets to allow identification of people or devices that perform an unusual amount of suspicious activities?
- A . Threat Intelligence Framework
- B . Risk Framework
- C . Notable Event Framework
- D . Asset and Identity Framework
While the top command is utilized to find the most common values contained within a field, a Cyber Defense Analyst hunts for anomalies.
Which of the following Splunk commands returns the least common values?
- A . least
- B . uncommon
- C . rare
- D . base