Splunk SPLK-5002 Exam Questions

Question 6 of 91

How can an engineer verify if results will return for a potential detection based on historical events within the organization?

Run the detection in Splunk Attack Range against the latest Atomic Red Team™ injections.

Run the detection with the added constraints of earliest=now latest=+24h.

Run the detection against production data within the same Splunk instance.

Run the detection with the added constraints of earliest=0 latest=l.

Correct Answer: C

Question 7 of 91

Which of the following is not a type of metadata that can be returned by the metadata command?

sourcetypes

hosts

sources

assets

Correct Answer: D

Question 8 of 91

MITRE D3FEND™ is designed to compliment MITRE's list of adversarial tactics, techniques, and common knowledge (ATT&CK®). Which tactics are associated with MITRE D3FEND™ in order to detect, deny, and disrupt adversarial efforts?

Harden, Detect, Exclude, Deceive, Eradicate

Harden, Detect, Isolate, Disrupt, Evict

Harden, Detect, Exclude, Define, Eradicate

Harden, Detect, Isolate, Deceive, Evict

Correct Answer: D

Question 9 of 91

Below is an example of a sysmon process create log. Which EventCode would be associated to this log entry?
Exam SPLK-5002: Question 9 - Image 1

EventCode=4

EventCode=2

EventCode=1

EventCode=3

Correct Answer: C

Question 10 of 91

Based on a recent red team exercise, an organization is highly concerned about pass the hash attacks especially including tools like Empire. Which EventСode associated to PowerShell Script Block Logging would be used to detect this activity?

EventCode=4126

EventCode=4168

EventCode=4624

EventCode=4104

Correct Answer: D