MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which existing ES dashboard could be used as a starting point to create a custom dashboard?
Question2: A threat hunter executed a hunt based on the following hypothesis:As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company's environment.Which of the following best describes the outcome of this threat hunt?
Question3: A Cyber Threat Intelligence (CTI) team delivers a briefing to the CISO detailing their view of the threat landscape the organization faces. This is an example of what type of Threat Intelligence?
Question4: An analyst is examining the logs for a web application's login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates that these credentials may have been compiled by combining account information from several recent data breaches.Which type of attack would this be an example of?
Question5: While testing the dynamic removal of credit card numbers, an analyst lands on using the rex command. What mode needs to be set to in order to replace the defined values with X?| makeresults| eval ccnumber="511388720478619733"| rex field=ccnumber mode=??? "s/(\d{4}-){3)/XXXX-XXXX-XXXX-/g"Please assume that the above rex command is correctly written.
Question6: Which field is automatically added to search results when assets are properly defined and enabled in Splunk Enterprise Security?
Question7: When searching in Splunk, which of the following SPL commands can be used to run a subsearch across every field in a wildcard field list?
Question8: According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?
Question9: An analyst notices that one of their servers is sending an unusually large amount of traffic, gigabytes more than normal, to a single system on the Internet. There doesn't seem to be any associated increase in incoming traffic.What type of threat actor activity might this represent?
Question10: The eval SPL expression supports many types of functions. Which of these function categories is not valid with eval?
Question11: Which of the following is a tactic used by attackers, rather than a technique?
Question12: A successful Continuous Monitoring initiative involves the entire organization. When an analyst discovers the need for more context or additional information, perhaps from additional data sources or altered correlation rules, to what role would this request generally escalate?
Question13: Which of the following is considered Personal Data under GDPR?
Question14: An analysis of an organization's security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of designing the new process and selecting the required tools to implement it?
Question15: Which of the following is not a component of the Splunk Security Content library (ESCU, SSE)?
Question16: Which of the following use cases is best suited to be a Splunk SOAR Playbook?A Forming hypothesis for Threat HuntingB. Visualizing complex datasets.C. Creating persistent field extractions.D. Taking containment action on a compromised host
Question17: Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?
Question18: An analyst would like to visualize threat objects across their environment and chronological risk events for a Risk Object in Incident Review. Where would they find this?
Question19: What goal of an Advanced Persistent Threat (APT) group aims to disrupt or damage on behalf of a cause?
Question20: A threat hunter generates a report containing the list of users who have logged in to a particular database during the last 6 months, along with the number of times they have each authenticated. They sort this list and remove any user names who have logged in more than 6 times. The remaining names represent the users who rarely log in, as their activity is more suspicious. The hunter examines each of these rare logins in detail.This is an example of what type of threat-hunting technique?
Question21: When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?
Question22: A Cyber Threat Intelligence (CTI) team produces a report detailing a specific threat actor's typical behaviors and intent. This would be an example of what type of intelligence?
Question23: In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?
Question24: An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?
Question25: After discovering some events that were missed in an initial investigation, an analyst determines this is because some events have an empty src field. Instead, the required data is often captured in another field called machine_name.What SPL could they use to find all relevant events across either field until the field extraction is fixed?
Question26: An analyst investigates an IDS alert and confirms suspicious traffic to a known malicious IP. What Enterprise Security data model would they use to investigate which process initiated the network connection?
Question27: How are Notable Events configured in Splunk Enterprise Security?
Question28: During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?
Question29: The United States Department of Defense (DoD) requires all government contractors to provide adequate security safeguards referenced in National Institute of Standards and Technology (NIST) 800-171. All DoD contractors must continually reassess, monitor, and track compliance to be able to do business with the US government.Which feature of Splunk Enterprise Security provides an analyst context for the correlation search mapping to the specific NIST guidelines?
Question30: Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?
Question31: An analyst notices that one of their servers is sending an unusually large amount of traffic, gigabytes more than normal, to a single system on the Internet. There doesn't seem to be any associated increase in incoming traffic.What type of threat actor activity might this represent?
Question32: The following list contains examples of Tactics, Techniques, and Procedures (TTPs):1. Exploiting a remote service2. Lateral movement3. Use EternalBlue to exploit a remote SMB serverIn which order are they listed below?