Splunk Certified Cybersecurity Defense Analyst - SPLK-5001 Exam Practice Test
An organization is using Risk-Based Alerting (RBA). During the past few days, a user account generated multiple risk observations. Splunk refers to this account as what type of entity?
Correct Answer: D
Vote an answer
During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?
Correct Answer: D
Vote an answer
What is the following step-by-step description an example of?
1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document.
2. The attacker creates a unique email with the malicious document based on extensive research about their target.
3. When the victim opens this document, a C2 channel is established to the attacker's temporary infrastructure on a compromised website.
1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document.
2. The attacker creates a unique email with the malicious document based on extensive research about their target.
3. When the victim opens this document, a C2 channel is established to the attacker's temporary infrastructure on a compromised website.
Correct Answer: D
Vote an answer
What is the recommended approach when handling a security incident?
Correct Answer: A
Vote an answer
An IDS signature is designed to detect and alert on logins to a certain server, but only if they occur from 6:00 PM - 6:00 AM. If no IDS alerts occur in this window, but the signature is known to be correct, this would be an example of what?
Correct Answer: D
Vote an answer
A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define the time between alert creation and close of the event?
Correct Answer: B
Vote an answer