Splunk SPLK-5002 Exam Questions

Question 6 of 91

How can an engineer verify if results will return for a potential detection based on historical events within the organization?

A.

Run the detection in Splunk Attack Range against the latest Atomic Red Team™ injections.

B.

Run the detection with the added constraints of earliest=now latest=+24h.

C.

Run the detection against production data within the same Splunk instance.

D.

Run the detection with the added constraints of earliest=0 latest=l.

Question 7 of 91

Which of the following is not a type of metadata that can be returned by the metadata command?

A.

sourcetypes

B.

hosts

C.

sources

D.

assets

Question 8 of 91

MITRE D3FEND™ is designed to compliment MITRE's list of adversarial tactics, techniques, and common knowledge (ATT&CK®). Which tactics are associated with MITRE D3FEND™ in order to detect, deny, and disrupt adversarial efforts?

A.

Harden, Detect, Exclude, Deceive, Eradicate

B.

Harden, Detect, Isolate, Disrupt, Evict

C.

Harden, Detect, Exclude, Define, Eradicate

D.

Harden, Detect, Isolate, Deceive, Evict

Question 9 of 91

Below is an example of a sysmon process create log. Which EventCode would be associated to this log entry?
Exam SPLK-5002: Question 9 - Image 1

A.

EventCode=4

B.

EventCode=2

C.

EventCode=1

D.

EventCode=3

Question 10 of 91

Based on a recent red team exercise, an organization is highly concerned about pass the hash attacks especially including tools like Empire. Which EventСode associated to PowerShell Script Block Logging would be used to detect this activity?

A.

EventCode=4126

B.

EventCode=4168

C.

EventCode=4624

D.

EventCode=4104