Splunk® SPLK-5002 Exam Practice Questions (P. 1)
- Full Access (91 questions)
- One Year of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #1
Which of the following is a reason to utilize ES risk framework as a part of detection building?
- ACreate a feedback loop into threat intelligence to identify potential insider threats.
- BHelp accelerate the run time of detections, allowing a faster mean time to detection.
- CSimplify SOAR automation and remediation, lowering the mean time to recover.
- DHelp prioritize security findings based on their potential business impact.
send
light_mode
delete
Question #2
When creating a case in Splunk SOAR, which action should be taken to correlate various findings (risk notables) to ensure all are actioned?
- ASearch Splunk Enterprise Security for similar or duplicate events based on the threat_object field in a risk notable.
- BSearch Splunk Enterprise Security for all related events based on key fields in a notable and select how to process the results to decide which events to merge into the current investigation.
- CSearch Splunk Enterprise Security for similar or duplicate events based on the risk_object field in a risk notable.
- DSearch Splunk Enterprise Security for all related events based on key fields in a risk notable and select how to process the results to decide which events to merge into the current investigation.
send
light_mode
delete
Question #3
Consider the following series of events:
4:00 GMT Detection runs for interval 3:30-4:00
4:30 GMT Detection runs for interval 4:00-4:30
4:35 GMT Event 1 occurs on an endpoint
4:45 GMT Event 1 is indexed
5:00 GMT Detection runs for interval 4:30-5:00
5:05 GMT Event 1 finding is added to ES with timestamp 4:35
5:24 GMT Event 2 occurs on an endpoint
5:30 GMT Detection runs for interval 5:00-5:30
5:35 GMT Event 2 is indexed
6:00 GMT Detection runs for interval 5:30-6:00
What is the problem with the detection schedule chosen and how can it be solved?
4:00 GMT Detection runs for interval 3:30-4:00
4:30 GMT Detection runs for interval 4:00-4:30
4:35 GMT Event 1 occurs on an endpoint
4:45 GMT Event 1 is indexed
5:00 GMT Detection runs for interval 4:30-5:00
5:05 GMT Event 1 finding is added to ES with timestamp 4:35
5:24 GMT Event 2 occurs on an endpoint
5:30 GMT Detection runs for interval 5:00-5:30
5:35 GMT Event 2 is indexed
6:00 GMT Detection runs for interval 5:30-6:00
What is the problem with the detection schedule chosen and how can it be solved?
- AThe time window for the detection is too large, causing duplicate alerts.
- BThe logs are delayed so the detection time window needs to be increased.
- CThe time window for the detection is too small, causing duplicate alerts.
- DThe logs are delayed so the detection time window needs to be decreased.
send
light_mode
delete
Question #4
An effective method for building automation workflows is to follow the OODA (Observe, Orient, Decide, Act) loop stages. When transitioning between the Decide and Act stages, what additional work should be included before automating the Act stage?
- ACreate a new response template.
- BValidate if the asset, identity, or service has an exemption.
- CValidate response data paths from Decide stage.
- DCreate a new automation playbook.
send
light_mode
delete
Question #5
What is the best method to operationalize the results of a threat hunt for daily use by SOC analysts?
- ACommunicate findings based on the hunt.
- BCreate monthly reports based on the documented findings.
- CCreate detections based on the documented findings.
- DCommunicate gaps to the architecture team.
send
light_mode
delete
All Pages