SPLK-5001のPDF問題集リアル2024最近更新された問題
リリースSplunk SPLK-5001更新された問題PDF
質問 # 11
Which stage of continuous monitoring involves adding data, creating detections, and building drilldowns?
- A. Establish and Architect
- B. Analyze and Report
- C. Implement and Collect
- D. Respond and Review
正解:C
質問 # 12
What device typically sits at a network perimeter to detect command and control and other potentially suspicious traffic?
- A. Endpoint Detection and Response
- B. Web proxy
- C. Intrusion Detection System
- D. Host-based firewall
正解:C
質問 # 13
What is the following step-by-step description an example of?
1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document.
2. The attacker creates a unique email with the malicious document based on extensive research about their target.
3. When the victim opens this document, a C2 channel is established to the attacker's temporary infrastructure on a compromised website.
- A. Tactic
- B. Policy
- C. Procedure
- D. Technique
正解:D
質問 # 14
Which field is automatically added to search results when assets are properly defined and enabled in Splunk Enterprise Security?
- A. src_ip
- B. user
- C. asset_category
- D. src_category
正解:D
質問 # 15
The eval SPL expression supports many types of functions. Which of these function categories is not valid with eval?
- A. Threat functions
- B. Comparison and Conditional functions
- C. Text functions
- D. JSON functions
正解:A
質問 # 16
While the top command is utilized to find the most common values contained within a field, a Cyber Defense Analyst hunts for anomalies. Which of the following Splunk commands returns the least common values?
- A. uncommon
- B. base
- C. least
- D. rare
正解:D
質問 # 17
An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?
- A. index=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attempts
- B. index=security_logs eventtype=failed_login | sum count as failed_attempts by src_ip | sort -failed_attempts
- C. index=security_logs eventtype=failed_login | eval count as failed_attempts by src_ip | sort -failed_attempts
- D. index=security_logs eventtype=failed_login | transaction count as failed_attempts by src_ip | sort -failed_attempts
正解:A
質問 # 18
How are Notable Events configured in Splunk Enterprise Security?
- A. Via an Adaptive Response Action in a regular search.
- B. During an investigation.
- C. Via an Adaptive Response Action in a correlation search.
- D. As part of an audit.
正解:C
質問 # 19
A Cyber Threat Intelligence (CTI) team produces a report detailing a specific threat actor's typical behaviors and intent. This would be an example of what type of intelligence?
- A. Strategic
- B. Executive
- C. Operational
- D. Tactical
正解:A
質問 # 20
Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?
- A. MITRE ATT&CK
- B. CIS18
- C. NIST 800-53
- D. ISO 27000
正解:A
質問 # 21
Which of the following is a best practice for searching in Splunk?
- A. Streaming commands run before aggregating commands in the Search pipeline.
- B. Searching over All Time ensures that all relevant data is returned.
- C. Limit fields returned from the search utilizing the cable command.
- D. Raw word searches should contain multiple wildcards to ensure all edge cases are covered.
正解:C
質問 # 22
The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which existing ES dashboard could be used as a starting point to create a custom dashboard?
- A. Malware Center
- B. New Domain Analysis
- C. Access Anomalies
- D. IAM Activity
正解:B
質問 # 23
Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?
- A. TERM ()
- B. LIKE()
- C. CASE()
- D. FORMAT ()
正解:A
質問 # 24
An analyst is attempting to investigate a Notable Event within Enterprise Security. Through the course of their investigation they determined that the logs and artifacts needed to investigate the alert are not available.
What event disposition should the analyst assign to the Notable Event?
- A. False Negative, since there are no logs to prove the activity actually occurred.
- B. Other, since a security engineer needs to ingest the required logs.
- C. True Positive, since there are no logs to prove that the event did not occur.
- D. Benign Positive, since there was no evidence that the event actually occurred.
正解:B
質問 # 25
The following list contains examples of Tactics, Techniques, and Procedures (TTPs):
1. Exploiting a remote service
2. Lateral movement
3. Use EternalBlue to exploit a remote SMB server
In which order are they listed below?
- A. Procedure, Technique, Tactic
- B. Tactic, Technique, Procedure
- C. Tactic, Procedure, Technique
- D. Technique, Tactic, Procedure
正解:B
質問 # 26
Which of the following is a tactic used by attackers, rather than a technique?
- A. Escalating privileges via UAC bypass.
- B. Gathering information about a target.
- C. Establishing persistence with a scheduled task.
- D. Using a phishing email to gain initial access.
正解:B
質問 # 27
An IDS signature is designed to detect and alert on logins to a certain server, but only if they occur from 6:00 PM - 6:00 AM. If no IDS alerts occur in this window, but the signature is known to be correct, this would be an example of what?
- A. A True Negative.
- B. A True Positive.
- C. A False Negative.
- D. A False Positive.
正解:A
質問 # 28
Which of the following data sources can be used to discover unusual communication within an organization's network?
- A. EDS
- B. Email
- C. Net Flow
- D. IAM
正解:C
質問 # 29
According to David Bianco's Pyramid of Pain, which indicator type is least effective when used in continuous monitoring?
- A. TTPs
- B. NetworM-lost artifacts
- C. Domain names
- D. Hash values
正解:D
質問 # 30
A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.
What should they ask their engineer for to make their analysis easier?
- A. Create a field extraction for this information.
- B. Create another detection for this information.
- C. Add this information to the risk message.
- D. Allowlist more events based on this information.
正解:A
質問 # 31
When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?
- A. | sort by user | where count > 1000
- B. | stats count by user | where count > 1000 | sort - count
- C. | top user
- D. | stats count(user) | sort - count | where count > 1000
正解:B
質問 # 32
Which of the following is not a component of the Splunk Security Content library (ESCU, SSE)?
- A. Correlation searches
- B. Validated architectures
- C. Reports
- D. Dashboards
正解:B
質問 # 33
......
Splunk SPLK-5001 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
| トピック 6 |
|
SPLK-5001問題集と練習テスト(68試験問題):https://www.goshiken.com/Splunk/SPLK-5001-mondaishu.html
ガイド(2024年最新)実際のSplunk SPLK-5001試験問題:https://drive.google.com/open?id=1DHp1BuP7NiFiTssNrHLePbxXhjoQzmps