Splunk Certified Cybersecurity Defense Engineer v1.0

Page:    1 / 7   
Exam contains 102 questions
Expand All

A SOC's Incident Response Standard Operating Procedure (SOP) calls for any phishing emails containing files to be detonated in Splunk Attack Analyzer for evaluation. Which of the following can an engineer implement to gain efficiency through automation?

  • A. Automatically send all findings containing the tag "phishing" to create an email notification for the SOC.
  • B. Use a SOAR playbook to submit the email to PhishTank, which will automatically handle the Splunk Attack Analyzer submission, and make this information available to an assigned analyst.
  • C. Automatically assign findings containing the tag "phishing" to analysts to speed up the start of data collection steps and reduce the time to disposition for the finding.
  • D. Use a SOAR playbook to handle the Splunk Attack Analyzer submission and data collection steps, and make this information available to an assigned analyst.


Answer : D

Which fields are used to determine asset priority, when priority is assigned through an asset and identity lookup?

  • A. dest, src, or dvc
  • B. dest_user or src_user
  • C. user or src_user
  • D. dest, src, or tag


Answer : A

What framework in Enterprise Security allows engineers to build detections using known malicious IOCs comparing them to event logs to find suspicious behavior?

  • A. Incident Management Framework
  • B. Asset & Intelligence Framework
  • C. Threat Intelligence Framework
  • D. OSINT Framework


Answer : C

Which of the following can process data from configured containers using an automated sequence of actions?

  • A. Workbooks
  • B. Cases
  • C. Playbooks
  • D. Containers


Answer : C

A Detection Engineer works closely with SOC leads to define expected analyst workflows, often documented as a Standard Operating Procedure (SOP). Which capability can be used to document expected analyst actions in an investigation?

  • A. Investigation notes
  • B. Adaptive response actions
  • C. Response templates
  • D. Correlation Search Editor


Answer : C

What document can be helpful in understanding the prioritization of risk when comparing entities in an organization?

  • A. A hierarchical organization chart
  • B. Infrastructure architecture diagrams
  • C. Application architecture diagrams
  • D. Business Continuity or Disaster Recovery plan


Answer : D

Which of the following cURL commands would allow an engineer to effectively disable the REST API endpoint they've been utilizing for testing a detection named TestSearchDevelopment?

  • A. curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/TestSearchDevelopment/ -X DELETE
  • B. Splunk endpoints cannot be disabled.
  • C. curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/TestSearchDevelopment/disable -X POST
  • D. curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/TestSearchDevelopment/disable -X PUT


Answer : C

An engineer wants to track and report on all authentication to corporate assets, and wants to prioritize critical assets without significantly increasing the number of findings (notable events) generated. What process could be used to accomplish this goal?

  • A. Determine a general risk rule for all access attempts to all assets, and then increase the Risk Factor for critical assets.
  • B. Decrease the risk score of non-critical assets in all existing detections.
  • C. Add all access attempts to the Risk Index, and increase the Criticality of the critical assets.
  • D. Add the critical assets to the risk data model.


Answer : C

In the context of Splunk's Common Information Model (CIM), which constraint ensures that events from different data sources appear in the applicable data model?

  • A. hosts
  • B. field names
  • C. sources
  • D. tags


Answer : D

Which tool can help identify known tactics, techniques, and procedures that a threat group is most likely to use when targeting a financial organization?

  • A. The Lockheed Martin Cyber Kill Chain® Posture panel within Enterprise Security's Incident Review page
  • B. The MITRE ATT&CK® Posture panel within Mission Control's Incident Review page
  • C. The MITRE ATT&CK® matrix's industry heatmap in Splunk Security Essentials
  • D. Splunk Threat Intelligence Management


Answer : C


Based on the provided screenshot, it's discovered that different machines or accounts have been associated with the shown threat objects. Enterprise Security has identified that these machines and accounts all point back to one owner - Fyodor.
Which two frameworks in ES are responsible for programmatically associating this information together?

  • A. Threat Intelligence, Assets & Identities
  • B. Risk, Incident Review
  • C. Risk, Assets & Identities
  • D. Threat Intelligence, Risk


Answer : C

An engineer notices that a detection is creating multiple findings (notables) for the same potential incident. Which setting can be adjusted to reduce the number of generated findings (notables)?

  • A. Correlation search priority
  • B. Adaptive response actions
  • C. Adaptive risk modifier
  • D. Correlation search throttling


Answer : D

Which of the following should an engineer do as they evaluate their Threat Detection and Incident Response lifecycle?

  • A. Evaluate the threat process lifecycle based on contextual business and industry knowledge.
  • B. Use the MITRE ATT&CK® framework to evaluate the organization's risk appetite.
  • C. Focus efforts on the least impactful threat vectors.
  • D. Evaluate the threat process lifecycle based on profit margins and MTTR.


Answer : A

Which of the following is the most efficient search to return a list of all visible indexes and the sourcetypes contained within them?

  • A. index=* | stats count by sourcetype, index
  • B. index=* sourcetype=* | stats values(sourcetype) by index
  • C. | tstats values(sourcetype) where index=true
  • D. | tstats values(sourcetype) where index=* by index


Answer : D

When creating a detection that searches user activity across CIM-compliant data, which CIM field should be reviewed to ensure that data is aggregated appropriately?

  • A. userid
  • B. identity
  • C. srcUser
  • D. user


Answer : D

Page:    1 / 7   
Exam contains 102 questions
Expand All

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us

[email protected]

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy | Amazon Exams | Cisco Exams | CompTIA Exams | Databricks Exams | Fortinet Exams | Google Exams | Microsoft Exams | VMware Exams