Practice Free SPLK-5001 Exam Online Questions
When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?
- A . | sort by user | where count > 1000
- B . | stats count by user | where count > 1000 | sort – count
- C . | top user
- D . | stats count(user) | sort – count | where count > 1000
Which of the following data sources would be most useful to determine if a user visited a recently identified malicious website?
- A . Active Directory Logs
- B . Web Proxy Logs
- C . Intrusion Detection Logs
- D . Web Server Logs
Which Splunk Enterprise Security framework provides a way to identify incidents from events and then manage the ownership, triage process, and state of those incidents?
- A . Asset and Identity
- B . Investigation Management
- C . Notable Event
- D . Adaptive Response
Which of the following is a reason to use Data Model Acceleration in Splunk?
- A . To rapidly compare the use of various algorithms to detect anomalies.
- B . To quickly model various responses to a particular vulnerability.
- C . To normalize the data associated with threats.
- D . To retrieve data faster than from a raw index.
An analyst notices that one of their servers is sending an unusually large amount of traffic, gigabytes more than normal, to a single system on the Internet. There doesn’t seem to be any associated increase in incoming traffic.
What type of threat actor activity might this represent?
- A . Data exfiltration
- B . Network reconnaissance
- C . Data infiltration
- D . Lateral movement
An analyst is looking at Web Server logs, and sees the following entry as the last web request that a server processed before unexpectedly shutting down:
[51.125.121.100 – [28/01/2006:10:27:10 -0300] "POST /cgi-bin/shurdown/ HTTP/1.0" 200 3304] What kind of attack is most likely occurring?
- A . Distributed denial of service attack.
- B . Database injection attack.
- C . Denial of service attack.
- D . Cross-Site scripting attack.
Which of the following Splunk Enterprise Security features allows industry frameworks such as CIS Critical Security Controls, MITRE ATT&CK, and the Lockheed Martin Cyber Kill Chain® to be mapped to Correlation Search results?
- A . Annotations
- B . Playbooks
- C . Comments
- D . Enrichments
Why is tstats more efficient than stats for large datasets?
- A . tstats is faster since it operates at the beginning of the search pipeline.
- B . tstats is faster since it only looks at indexed metadata, not raw data.
- C . tstats is faster due to its SQL-like syntax.
- D . tstats is faster since it searches raw logs for extracted fields.
Which of the following SPL searches is likely to return results the fastest?
- A . index-network src_port=2938 protocol=top | stats count by src_ip | search src_ip=1.2.3.4
- B . src_ip=1.2.3.4 src_port=2938 protocol=top | stats count
- C . src_port=2938 AND protocol=top | stats count by src_ip | search src_ip=1.2.3.4
- D . index-network sourcetype=netflow src_ip=1.2.3.4 src_port=2938 protocol=top | stats count
Which Enterprise Security framework provides a mechanism for running preconfigured actions within the Splunk platform or integrating with external applications?
- A . Asset and Identity
- B . Notable Event
- C . Threat Intelligence
- D . Adaptive Response