Splunk SPLK-5002 - Splunk Certified Cybersecurity Defense Engineer Exam
Page: 2 / 19
Total 91 questions
Question #6 (Topic: Exam A)
How can an engineer verify if results will return for a potential detection based on historical events within the organization?
A. Run the detection in Splunk Attack Range against the latest Atomic Red Team™ injections.
B. Run the detection with the added constraints of earliest=now latest=+24h.
C. Run the detection against production data within the same Splunk instance.
D. Run the detection with the added constraints of earliest=0 latest=l.
Answer: C
Question #7 (Topic: Exam A)
Which of the following is not a type of metadata that can be returned by the metadata command?
A. sourcetypes
B. hosts
C. sources
D. assets
Answer: D
Question #8 (Topic: Exam A)
MITRE D3FEND™ is designed to compliment MITRE's list of adversarial tactics, techniques, and common knowledge (ATT&CK®). Which tactics are associated with MITRE D3FEND™ in order to detect, deny, and disrupt adversarial efforts?
A. Harden, Detect, Exclude, Deceive, Eradicate
B. Harden, Detect, Isolate, Disrupt, Evict
C. Harden, Detect, Exclude, Define, Eradicate
D. Harden, Detect, Isolate, Deceive, Evict
Answer: D
Question #9 (Topic: Exam A)
Below is an example of a sysmon process create log. Which EventCode would be associated to this log entry?
A. EventCode=4
B. EventCode=2
C. EventCode=1
D. EventCode=3
Answer: C
Question #10 (Topic: Exam A)
Based on a recent red team exercise, an organization is highly concerned about pass the hash attacks especially including tools like Empire. Which EventСode associated to PowerShell Script Block Logging would be used to detect this activity?
A. EventCode=4126
B. EventCode=4168
C. EventCode=4624
D. EventCode=4104
Answer: D
