Splunk Certified Cybersecurity Defense Analyst (SPLK-5001) Free Practice Test

Question 1

Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?

A. TERM ()

B. CASE()

C. LIKE()

D. FORMAT ()

Correct Answer: A

Question 2

According to David Bianco's Pyramid of Pain, which indicator type is least effective when used in continuous monitoring?

A. Hash values

B. Domain names

C. NetworM-lost artifacts

D. TTPs

Correct Answer: A

Question 3

While the top command is utilized to find the most common values contained within a field, a Cyber Defense Analyst hunts for anomalies. Which of the following Splunk commands returns the least common values?

A. least

B. base

C. rare

D. uncommon

Correct Answer: C

Question 4

An analyst is investigating how an attacker successfully performs a brute-force attack to gain a foothold into an organizations systems. In the course of the investigation the analyst determines that the reason no alerts were generated is because the detection searches were configured to run against Windows data only and excluding any Linux data.
This is an example of what?

A. A False Negative.

B. A True Positive.

C. A True Negative.

D. A False Positive.

Correct Answer: A

Question 5

Which of the following are correct statements about Splunk Enterprise Security annotations?

A. Annotations can be used to mark notable events in the investigation.

B. Annotations help enrich data with additional information.

C. Annotations are used for visual representation only and do not affect search results.

D. Annotations are applied automatically to all incoming data.

Correct Answer: A,B

Question 6

How does Splunk Enterprise Security (ES) interact with Common Information Model (CIM) and Data Models?

A. CIM and Data Models are the same thing and can be used interchangeably

B. CIM is used to accelerate Data Models for faster searching

C. Data Models are used to enrich the data stored in CIM

D. CIM provides a framework for categorizing data, and Data Models are used to normalize the data

Correct Answer: D

Question 7

While investigating a finding in Splunk, an analyst manually searches for threat intelligence matches and adds them to a list if they come back as malicious. Then, they send a request to contain the compromised host.
What would be the best solution to fully automate this process?

A. A model-assisted threat hunt.

B. Document those steps in the team's runbook.

C. An intelligence response action.

D. A SOAR playbook triggered by the detection.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define the time between alert creation and close of the event?

A. MTTR (Mean Time to Respond)

B. MTBF (Mean Time Between Failures)

C. MTTA (Mean Time to Acknowledge)

D. MTTD (Mean Time to Detect)

Correct Answer: A

Welcome to TestSimulate

Splunk Certified Cybersecurity Defense Analyst (SPLK-5001) Free Practice Test