Which metric would track improvements in analyst efficiency after dashboard customization?

Why is tstats more efficient than stats for large datasets?

What is the first phase of the Continuous Monitoring cycle?

An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?

The Lockheed Martin Cyber Kill Chain® breaks an attack lifecycle into several stages. A threat actor modified the registry on a compromised Windows system to ensure that their malware would automatically run at boot time. Into which phase of the Kill Chain would this fall?

Which of the following compliance frameworks was specifically created to measure the level of cybersecurity maturity within an organization?

An analysis of an organization’s security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of implementing the new process or solution that was selected?

An analyst would like to test how certain Splunk SPL commands work against a small set of data. What command should start the search pipeline if they wanted to create their own data instead of utilizing data contained within Splunk?

A Cyber Threat Intelligence (CTI) team delivers a briefing to the CISO detailing their view of the threat landscape the organization faces. This is an example of what type of Threat Intelligence?

An analyst is not sure that all of the potential data sources at her company are being correctly or completely utilized by Splunk and Enterprise Security. Which of the following might she suggest using, in order to perform an analysis of the data types available and some of their potential security uses?

Which of the following SPL searches is likely to return results the fastest?

Which of the following is not a component of the Splunk Security Content library (ESCU, SSE)?

While testing the dynamic removal of credit card numbers, an analyst lands on using therexcommand. What mode needs to be set to in order to replace the defined values with X?

| makeresults

| eval ccnumber="511388720478619733"

| rex field=ccnumber mode=???"s/(\d{4}-){3)/XXXX-XXXX-XXXX-/g"

Please assume that the aboverexcommand is correctly written.

An analyst is investigating how an attacker successfully performs a brute-force attack to gain a foothold into an organizations systems. In the course of the investigation the analyst determines that the reason no alerts were generated is because the detection searches were configured to run against Windows data only and excluding any Linux data.

This is an example of what?

An analyst learns that several types of data are being ingested into Splunk and Enterprise Security, and wants to use the metadata SPL command to list them in a search. Which of the following arguments should she use?

What device typically sits at a network perimeter to detect command and control and other potentially suspicious traffic?

A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define the time between alert creation and close of the event?

The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which existing ES dashboard could be used as a starting point to create a custom dashboard?

A threat hunter is analyzing incoming emails during the past 30 days, looking for spam or phishing campaigns targeting many users. This involves finding large numbers of similar, but not necessarily identical, emails. The hunter extracts key datapoints from each email record, including the sender's address, recipient's address, subject, embedded URLs, and names of any attachments. Using the Splunk App for Data Science and Deep Learning, they then visualize each of these messages as points on a graph, looking for large numbers of points that occur close together. This is an example of what type of threat-hunting technique?

A network security tool that continuously monitors a network for malicious activity and takes action to block it is known as which of the following?

Which of the following use cases is best suited to be a Splunk SOAR Playbook?

What is the main difference between a DDoS and a DoS attack?

What Splunk feature would enable enriching public IP addresses with ASN and owner information?

What is the main difference between hypothesis-driven and data-driven Threat Hunting?

Which of the following roles is commonly responsible for selecting and designing the infrastructure and tools that a security analyst utilizes to effectively complete their job duties?

Enterprise Security has been configured to generate a Notable Event when a user has quickly authenticated from multiple locations between which travel would be impossible. This would be considered what kind of an anomaly?

An analyst discovers malicious software present within the network. When tracing the origin of the software, the analyst discovers it is actually a part of a third-party vendor application that is used regularly by the organization. This is an example of what kind of threat?

An analyst is looking at Web Server logs, and sees the following entry as the last web request that a server processed before unexpectedly shutting down:

147.186.119.107 - - [28/Jul/2006:10:27:10 -0300] "POST /cgi-bin/shutdown/ HTTP/1.0" 200 3333

What kind of attack is most likely occurring?

Which of the following is a correct Splunk search that will return results in the most performant way?