Splunk SPLK-5002 Exam Practice Questions and Answers

Question 6 of 102

How can an engineer verify if results will return for a potential detection based on historical events within the organization?

A.

Run the detection in Splunk Attack Range against the latest Atomic Red Team™ injections.

B.

Run the detection with the added constraints of earliest=now latest=+24h.

C.

Run the detection against production data within the same Splunk instance.

D.

Run the detection with the added constraints of earliest=0 latest=l.

Question 7 of 102

Which of the following is not a type of metadata that can be returned by the metadata command?

A.

sourcetypes

B.

hosts

C.

sources

D.

assets

Question 8 of 102

MITRE D3FEND™ is designed to compliment MITRE's list of adversarial tactics, techniques, and common knowledge (ATT&CK®). Which tactics are associated with MITRE D3FEND™ in order to detect, deny, and disrupt adversarial efforts?

A.

Harden, Detect, Exclude, Deceive, Eradicate

B.

Harden, Detect, Isolate, Disrupt, Evict

C.

Harden, Detect, Exclude, Define, Eradicate

D.

Harden, Detect, Isolate, Deceive, Evict

Question 9 of 102

Below is an example of a sysmon process create log. Which EventCode would be associated to this log entry?

A.

EventCode=4

B.

EventCode=2

C.

EventCode=1

D.

EventCode=3

Question 10 of 102

Based on a recent red team exercise, an organization is highly concerned about pass the hash attacks especially including tools like Empire. Which EventСode associated to PowerShell Script Block Logging would be used to detect this activity?

A.

EventCode=4126

B.

EventCode=4168

C.

EventCode=4624

D.

EventCode=4104