An engineer adds a custom event status of 'Testing' and accidentally makes it the new default status. Their SOC calculates some metrics based on Notable status change sequences, starting from the old default status of 'New'. Which metrics can be affected by this mistake?
AMean Time to Respond, Mean Time to Resolve
BNo metrics are impacted
CMean Time to Triage, Dwell Time
DMean Time to Resolve, Dwell Time
MITRE D3FEND™ is designed to compliment MITRE's list of adversarial tactics, techniques, and common knowledge (ATT&CK®). Which tactics are associated with MITRE D3FEND™ in order to detect, deny, and disrupt adversarial efforts?
AHarden, Detect, Exclude, Deceive, Eradicate
BHarden, Detect, Isolate, Disrupt, Evict
CHarden, Detect, Exclude, Define, Eradicate
DHarden, Detect, Isolate, Deceive, Evict
Which fields are used to determine asset priority, when priority is assigned through an asset and identity lookup?
Adest, src, or dvc
Bdest_user or src_user
Cuser or src_user
Ddest, src, or tag
What external support consideration should an engineer account for if they plan to automate the disabling of a system or user?
ACommunicate the actions to the IT Help Desk.
BEnable logging on the playbook.
CValidate that the system or user is not already disabled.
Risk scores are associated with how many levels of risk in Enterprise Security by default?
A(4) Info, Medium, High, Critical
B(3) Low, Medium, High
C(5) Info, Low, Medium, High, Critical
D(6) Info, Low, Medium, High, Critical, Unknown
When creating a detection, how might an engineer ensure that all possible contextual fields about a given asset and identity are added to a risk event?
AUse | lookup identities.csv to call all available identity information in the detection output.
BInclude the standard CIM fields (e.g. user, src, src_user, etc.) in the detection output.
CCall an adaptive response action for Active Directory using | ldapsearch for a real-time update.
DUse | lookup assets.csv to call all available asset information in the detection output.
Which REST call will show a list of alerts with their specific commands, app, and title?
When should a detection be reviewed or retuned after deployment?
AEvery 30 days.
BOnly if it has generated a large amount of false positives.
CAs defined by the established detection lifecycle.
DOnly if it hasn't generated a finding after several weeks.
Which of the following macro values will exclude all of the company networks if it is called from the following search? index=firewall sourcetype=pan:traffic NOT "company_networks"
A(src_ip IN (151.157.30.0/24, 26.06.18.0/24))
BNOT (src_ip IN (151.157.30.0/24, 26.06.18.0/24))
CNOT (src_ip=151.157.30.0/24 AND src_ip=26.06.18.0/24)
D(src_ip=151.157.30.0/24 AND src_ip=26.06.18.0/24)
Which of the following should be the primary reference when designing a new playbook in Splunk SOAR?
AExisting investigation actions
BMITRE ATT&CK® framework
CExisting Standard Operating Procedure
DCIS Framework
Which Enterprise Security components provide enrichment to the Risk Framework?
An engineer notices that a detection is creating multiple findings (notables) for the same potential incident. Which setting can be adjusted to reduce the number of generated findings (notables)?
ACorrelation search priority
BAdaptive response actions
CAdaptive risk modifier
DCorrelation search throttling
Which of the following traces specific stages of an attack lifecycle?
AOODA Loop
BNIST 800-61
CNIST Cybersecurity Framework
DLockheed Martin Cyber Kill Chain®
The SOC Manager requested a better method to standardize the list of tasks that analysts follow when they evaluate events or cases. Which Splunk SOAR feature allows the creation of SOPs based on criteria like the type of event or attack vector?
AWorkbooks
BEvents
CCases
DIncidents
An engineer wants to track and report on all authentication to corporate assets, and wants to prioritize critical assets without significantly increasing the number of findings (notable events) generated. What process could be used to accomplish this goal?
ADetermine a general risk rule for all access attempts to all assets, and then increase the Risk Factor for critical assets.
BDecrease the risk score of non-critical assets in all existing detections.
CAdd all access attempts to the Risk Index, and increase the Criticality of the critical assets.
DAdd the critical assets to the risk data model.
In order to perform a complete data assessment, an engineer's role within Splunk must have which of the following?
AAccess to Knowledge Objects.
BThe capability to edit macros.
CThe capability to create Correlation Searches.
DAccess to applicable indexes.
Which of the following identifies elements of the Detection Development Lifecyle (DDLC)?
AResearch, Develop, Document, Test, Deploy
BResearch, Design, Deploy, Validate
CDesign, Develop, Deploy, Monitor, Maintain
DDesign, Develop, Test, Deploy
When creating a detection that searches user activity across CIM-compliant data, which CIM field should be reviewed to ensure that data is aggregated appropriately?
Auserid
Bidentity
CsrcUser
Duser
An engineer has been working on building a new automation for the SOC. What Scope should be selected in the SOAR Playbook Debugger during the playbook development to ensure consistency?
ANew Events
BAll Artifacts
CNew Artifacts
DAll Events
Which of the following is the most efficient search to return a list of all visible indexes and the sourcetypes contained within them?
Aindex=* | stats count by sourcetype, index
Bindex=* sourcetype=* | stats values(sourcetype) by index
C| tstats values(sourcetype) where index=true
D| tstats values(sourcetype) where index=* by index
Which of the following cURL commands would allow an engineer to effectively disable the REST API endpoint they've been utilizing for testing a detection named TestSearchDevelopment?
