CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Splunk®
  5. SPLK-5001

Free SPLK-5001 Exam Braindumps (page: 4)

Page 3 of 18
PDF with 66 Questions

During their shift, an analyst receives an alert about an executable being run from
C:\Windows\Temp.
Why should this be investigated further?

  1. Temp directories aren't owned by any particular user, making it difficult to track the process owner when files are executed.
  2. Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory.
  3. Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs.
  4. Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.

Answer(s): D



An analyst would like to visualize threat objects across their environment and chronological risk events for a Risk Object in Incident Review.
Where would they find this?

  1. Running the Risk Analysis Adaptive Response action within the Notable Event.
  2. Via a workflow action for the Risk Investigation dashboard.
  3. Via the Risk Analysis dashboard under the Security Intelligence tab in Enterprise Security.
  4. Clicking the risk event count to open the Risk Event Timeline.

Answer(s): D



A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious.

What should they ask their engineer for to make their analysis easier?

  1. Create a field extraction for this information.
  2. Add this information to the risk message.
  3. Create another detection for this information.
  4. Allowlist more events based on this information.

Answer(s): A



What device typically sits at a network perimeter to detect command and control and other potentially suspicious traffic?

  1. Host-based firewall
  2. Web proxy
  3. Endpoint Detection and Response
  4. Intrusion Detection System

Answer(s): D






Post your Comments and Discuss Splunk® SPLK-5001 exam with other Community members:

SPLK-5001 Exam Discussions & Posts