Splunk splk-5001 practice test

Which of the following is a best practice when creating performant searches within Splunk?

• A. Utilize the transaction command to aggregate data for faster analysis.
• B. Utilize Aggregating commands to ensure all data is available prior to Streaming commands.
• C. Utilize specific fields to return only the data that is required.
• D. Utilize multiple wildcards across fields to ensure returned data is complete and available.

Which of the following data sources can be used to discover unusual communication within an
organization’s network?

• A. EDS
• B. Net Flow
• C. Email
• D. IAM

A Cyber Threat Intelligence (CTI) team delivers a briefing to the CISO detailing their view of the
threat landscape the organization faces. This is an example of what type of Threat Intelligence?

• A. Tactical
• B. Strategic
• C. Operational
• D. Executive

Which of the Enterprise Security frameworks provides additional automatic context and correlation
to fields that exist within raw data?

• A. Adaptive Response
• B. Threat Intelligence
• C. Risk
• D. Asset and Identity

An analyst needs to create a new field at search time. Which Splunk command will dynamically
extract additional fields as part of a Search pipeline?

• A. rex
• B. fields
• C. regex
• D. eval

After discovering some events that were missed in an initial investigation, an analyst determines this
is because some events have an empty src field. Instead, the required data is often captured in
another field called machine_name.
What SPL could they use to find all relevant events across either field until the field extraction is
fixed?

• A. | eval src = coalesce(src,machine_name)
• B. | eval src = src + machine_name
• C. | eval src = src . machine_name
• D. | eval src = tostring(machine_name)

Which argument searches only accelerated data in the Network Traffic Data Model with tstats?

• A. accelerate=true
• B. dataset=accelerated
• C. summariesonly=true
• D. datamodel=accelerated

Which of the following is not considered an Indicator of Compromise (IOC)?

• A. A specific domain that is utilized for phishing.
• B. A specific IP address used in a cyberattack.
• C. A specific file hash of a malicious executable.
• D. A specific password for a compromised account.

Which field is automatically added to search results when assets are properly defined and enabled in
Splunk Enterprise Security?

• A. asset_category
• B. src_ip
• C. src_category
• D. user

Outlier detection is an analysis method that groups together data points into high density clusters.
Data points that fall outside of these high density clusters are considered to be what?

• A. Inconsistencies
• B. Baselined
• C. Anomalies
• D. Non-conformatives