Splunk Certified Cybersecurity Defense Analyst v1.0

Page:    1 / 5   
Exam contains 66 questions
Expand All

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?

  • A. host
  • B. dest
  • C. src_nt_host
  • D. src_ip


Answer : D

Which of the following data sources can be used to discover unusual communication within an organization’s network?

  • A. EDS
  • B. NetFlow
  • C. Email
  • D. IAM


Answer : B

When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?

  • A. | sort by user | where count > 1000
  • B. | stats count by user | where count > 1000 | sort - count
  • C. | top user
  • D. | stats count(user) | sort - count | where count > 1000


Answer : B

The United States Department of Defense (DoD) requires all government contractors to provide adequate security safeguards referenced in National Institute of Standards and Technology (NIST) 800-171. All DoD contractors must continually reassess, monitor, and track compliance to be able to do business with the US government.
Which feature of Splunk Enterprise Security provides an analyst context for the correlation search mapping to the specific NIST guidelines?

  • A. Comments
  • B. Notes
  • C. Annotations
  • D. Framework mapping


Answer : D

An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?

  • A. index=security_logs eventtype=failed_login | eval count as failed_attempts by src_ip | sort -failed_attempts
  • B. index=security_logs eventtype=failed_login | transaction count as failed_attempts by src_ip | sort -failed_attempts
  • C. index=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attempts
  • D. index=security_logs eventtype=failed_login | sum count as failed_attempts by src_ip | sort -failed_attempts


Answer : C

The field file_acl contains access controls associated with files affected by an event. In which data model would an analyst find this field?

  • A. Malware
  • B. Alerts
  • C. Vulnerabilities
  • D. Endpoint


Answer : D

A threat hunter generates a report containing the list of users who have logged in to a particular database during the last 6 months, along with the number of times they have each authenticated. They sort this list and remove any user names who have logged in more than 6 times. The remaining names represent the users who rarely log in, as their activity is more suspicious. The hunter examines each of these rare logins in detail.
This is an example of what type of threat-hunting technique?

  • A. Least Frequency of Occurrence Analysis
  • B. Co-Occurrence Analysis
  • C. Time Series Analysis
  • D. Outlier Frequency Analysis


Answer : A

What is the main difference between hypothesis-driven and data-driven Threat Hunting?

  • A. Data-driven hunts always require more data to search through than hypothesis-driven hunts.
  • B. Data-driven hunting tries to uncover activity within an existing data set, hypothesis-driven hunting begins with a potential activity that the hunter thinks may be happening.
  • C. Hypothesis-driven hunts are typically executed on newly ingested data sources, while data-driven hunts are not.
  • D. Hypothesis-driven hunting tries to uncover activity within an existing data set, data-driven hunting begins with an activity that the hunter thinks may be happening.


Answer : B

The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which existing ES dashboard could be used as a starting point to create a custom dashboard?

  • A. IAM Activity
  • B. Malware Center
  • C. Access Anomalies
  • D. New Domain Analysis


Answer : D

What is the main difference between a DDoS and a DoS attack?

  • A. A DDoS attack is a type of physical attack, while a DoS attack is a type of cyberattack.
  • B. A DDoS attack uses a single source to target a single system, while a DoS attack uses multiple sources to target multiple systems.
  • C. A DDoS attack uses multiple sources to target a single system, while a DoS attack uses a single source to target a single or multiple systems.
  • D. A DDoS attack uses a single source to target multiple systems, while a DoS attack uses multiple sources to target a single system.


Answer : C

A Cyber Threat Intelligence (CTI) team delivers a briefing to the CISO detailing their view of the threat landscape the organization faces. This is an example of what type of Threat Intelligence?

  • A. Tactical
  • B. Strategic
  • C. Operational
  • D. Executive


Answer : B

An analyst is examining the logs for a web application’s login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates that these credentials may have been compiled by combining account information from several recent data breaches.
Which type of attack would this be an example of?

  • A. Credential sniffing
  • B. Password cracking
  • C. Password spraying
  • D. Credential stuffing


Answer : D

An analysis of an organization’s security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of designing the new process and selecting the required tools to implement it?

  • A. SOC Manager
  • B. Security Engineer
  • C. Security Architect
  • D. Security Analyst


Answer : C

After discovering some events that were missed in an initial investigation, an analyst determines this is because some events have an empty src field. Instead, the required data is often captured in another field called machine_name.
What SPL could they use to find all relevant events across either field until the field extraction is fixed?

  • A. | eval src = coalesce(src,machine_name)
  • B. | eval src = src + machine_name
  • C. | eval src = src . machine_name
  • D. | eval src = tostring(machine_name)


Answer : A

An analyst would like to test how certain Splunk SPL commands work against a small set of data. What command should start the search pipeline if they wanted to create their own data instead of utilizing data contained within Splunk?

  • A. makeresults
  • B. rename
  • C. eval
  • D. stats


Answer : A

Page:    1 / 5   
Exam contains 66 questions
Expand All

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us

[email protected]

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy